Facebook discloses a major breach. Botnet brute forcing ransomware. Retail domain typosquatting. ATM wiretapping. Ransomware in San Diego. SEC hits cyber deficiencies. Assange retires?

Dave Bittner: [00:00:03] Facebook discloses a cyberattack that affected 50 million users. A botnet is brute-forcing credentials. Cybercriminals show signs of ramping up spoofed retail domains in preparation for holiday shopping. The U.S. Secret Service warns of ATM wiretapping. The Port of San Diego struggles with ransomware. The U.S. SEC fines a company for cyber deficiencies. Mr. Assange goes offline.

Dave Bittner: [00:00:28] Andrea Little Limbago from Endgame joins us. We discuss how cybercapabilities intersect with international statecraft and warfare. And some guy says he'll livestream his annihilation of a prominent Facebook page.

Dave Bittner: [00:00:47] It's time for a message from our sponsor, Recorded Future. You've heard of Recorded Future. They're the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give InfoSec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/intel and subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. It's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:52] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, September 28, 2018. Late this morning, Facebook disclosed that it had been the victim of a cyberattack. According to reports in The New York Times and elsewhere, it's thought that at least 50 million accounts were affected, with user information exposed. According to Facebook CEO Mark Zuckerberg's own Facebook post, the company discovered the issue on Tuesday. Attackers stole access tokens that would, in principle, have allowed them to log in to roughly 50 million people's accounts. He says they don't yet know if any information exposed in the attack has been misused, but investigation continues.

Dave Bittner: [00:02:36] The social media company has patched the vulnerabilities the hackers used to get the tokens, and they've invalidated the stolen tokens. Thus, if you find yourself logged out of Facebook, that's why. You'll have to log back in to regain access to your account. The company has notified the affected users with a message that appears on top of their news feed, so look for it there when you get back in.

Dave Bittner: [00:02:59] Facebook has also taken down the service's View As feature, which is the one that contained the vulnerability the hackers exploited. View As is a tool that lets you see yourself, or at least your profile, as others see you. The company has taken the additional precaution of logging users out who used the View As feature since Tuesday.

Dave Bittner: [00:03:21] Guy Rosen, Facebook's vice president of product management, blogged that the vulnerability arose from, quote, "the complex interaction of multiple issues in our code," unquote, which he says stemmed from changes they made to their video uploading feature in July of 2017. The investigation is still in progress, of course, so there's not even a preliminary attribution. Facebook has involved law enforcement, and they want their users to know that they regret the attack. The story is developing, and, no doubt, more will emerge over the weekend.

Dave Bittner: [00:03:53] Phorpiex/Trik, a botnet with some worm functionality, is brute-forcing ransomware through port 5900. It finds vulnerable remote desktop protocol and virtual networking computer servers and runs through a list of commonly used credentials to gain access. Researchers at SecurityScorecard say the payload is typically a GandCrab ransomware variant.

Dave Bittner: [00:04:17] The holiday season isn't here yet but it's not too early to begin thinking about retail security. Security firm Venafi is observing an unpleasant expanse of look-alike domains being registered with the apparent intent of duping online shoppers. When you do begin your holiday shopping, watch your typing and don't fall for an impostor site.

Dave Bittner: [00:04:39] The U.S. Secret Service is warning banks that there's an increase in ATM wiretapping attacks that involve drilling a small hole in an ATM, inserting the skimmer, often with an endoscope, and then covering the hole, often with a little sticker that has the bank's logo on it. If you've got an ATM in your mom and pop shop, give it a once-over and pay attention to any warnings from the bank.

Dave Bittner: [00:05:03] The Port of San Diego continues to struggle with a ransomware infestation in its business systems. It's now been running for several days and seems unusually resistant to remediation. The business systems affected seemed to be noncore and not crucial to port operations - things like parking access, parking permits, public records requests, business document filings and so on.

Dave Bittner: [00:05:25] The Port of San Diego surely includes a cargo and cruise ship handling port proper, but its remit also extends to the city's waterfront parks, shops, museums, convention center and marinas. It's 34 miles of coastline - that's 55 kilometers for our international listeners - and the activities the port's responsible for pretty much cover the waterfront.

Dave Bittner: [00:05:48] In the first case of its kind, the U.S. Securities and Exchange Commission is bringing an enforcement action against Voya Financial advisers for poor cybersecurity. Acting against a company for deficient cybersecurity, the U.S. Securities and Exchange Commission has obtained an agreement from Voya Financial advisers to pay $1 million in fines over violations of the Safeguards Rule and the identity theft Red Flags Rule. The SEC says this is its first enforcement action under the Red Flags Rule.

Dave Bittner: [00:06:20] After receiving some tough love from Ecuador's London embassy, Julian Assange has stepped down as the leader of WikiLeaks. Spokesperson Kristinn Hrafnsson will take over. Mr. Assange is still in the embassy, but Ecuador's taken away his internet access. Ecuador's president Moreno is thought to regard Mr. Assange as an embarrassment held over from his predecessor's administration. The embassy has been looking for ways of encouraging Mr. Assange to move on, but the situation still seems to be a failure to launch.

Dave Bittner: [00:06:54] And finally, in a development we think is unconnected with Facebook's other issues, a freelance hacker in Taiwan named Chang Chi-yuan says he's going to obliterate Mark Zuckerberg's Facebook page this weekend, and that he'll be livestreaming the hack.

Dave Bittner: [00:07:08] He says he's a white hat, and he may well be. But on the other hand, the word on the street is that he does seem to get himself sued from time to time. Stream if you dare, voyeurs of low tastes, but we'll be watching reruns of "The Gong Show" instead. It's a more elevated pastime, and that Chuck Barris was one dangerous mind.

Dave Bittner: [00:07:33] Now a moment to tell you about our sponsor, ObserveIT. It's 2018. Traditional data loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high-maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats, and it's extremely difficult even for the most technical users to bypass. Bring your data-loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIt for sponsoring our show.

Dave Bittner: [00:08:42] And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, welcome back. You sent over an interesting article here about some Bluetooth vulnerabilities that the researchers have labeled severe. What's going on here?

Jonathan Katz: [0:09:01] This was a vulnerability that researchers found in the Bluetooth-pairing protocol. So the pairing protocol, as many listeners might know, is what's used when you want to pair two Bluetooth devices, say, for example, your cellphone with the communication system in your car. And what the researchers showed was that the underlying cryptographic protocol that was used to set up a secure pairing between two devices was actually vulnerable to an attack that would potentially allow an attacker to either impersonate one of those devices or potentially to eavesdrop on further communications between them.

Dave Bittner: [0:09:33] The Bluetooth coupling used a mathematical concept called ECC. That's elliptic curve cryptography. What can you tell us about that?

Jonathan Katz: [00:09:42] It was a very interesting attack actually. Although looking at the protocol as a cryptographer myself, it's the sort of attack that when you see the protocol, you almost immediately realize that the protocol was designed in a - really a silly way to enable that attack. Fundamentally, what's going on here is that the protocol was using what's called elliptic curve cryptography.

Jonathan Katz: [00:10:02] And without getting into the details of that, let me just kind of say at a high level that this involves sending back-and-forth strings representing points on some mathematical curve. And even if you don't understand any of that, what it comes down to or what the attack boils down to is that essentially half of that string was signed and the other half was not.

Dave Bittner: [00:10:23] OK.

Jonathan Katz: [00:10:24] And the designers of the protocol basically thought that by signing half the string, it would be enough to secure the protocol. And what the researchers showed was that by cutting corners like that, they were able to manipulate the second half of the string and thereby carry out the attack.

Jonathan Katz: [00:10:38] So I think in the end, you know, what it really points out to is the fact that you need to have security protocols analyzed by experts in the field. And in the best case scenario, you want to get your protocols validated and proven secure. And I think trying to analyze this protocol in a structured way and trying to prove security would've immediately identified that finding only half the string was not sufficient.

Dave Bittner: [00:11:01] Now, but it strikes me that - I mean, obviously, you know, Bluetooth is not some fringe bit of technology. The folks who are in charge of validating these sorts of things, surely they would've had somebody look at this before it was sent out and made a standard, right?

Jonathan Katz: [00:11:17] Can I say no comment?

(LAUGHTER)

Jonathan Katz: [00:11:20] You know, all I can say is that the flaw was there, and it's a pretty basic flaw. It's the kind of thing that I would cover in a graduate cryptography class.

Dave Bittner: [00:11:28] Really?

Jonathan Katz: [00:11:28] So I don't know who looked at it, who didn't look at it. I think one of the things going on here is that perhaps people thought that because of the pairing protocol, and because of Bluetooth in general, is something that's carried out between two devices in close proximity, it's a little bit more difficult in practice to carry out the attack. You would need somebody - you would need the attacker to basically be within close physical proximity of the honest users. And presumably, they might be detected. So the practical impact of this is unclear.

Dave Bittner: [00:11:55] All right. Well, the major manufacturers have been alerted, and they've done some patching and updates and so forth. So they're on it.

Jonathan Katz: [00:12:04] We hope so. And I hope that - and I'm sure - it's something that's also easy to fix. And so I'm sure that the next versions of the protocol will address this vulnerability.

Dave Bittner: [00:12:11] Jonathan Katz, thanks for joining us.

Jonathan Katz: [00:12:13] Great. Thank you.

Dave Bittner: [00:12:18] I'd like to take a minute to tell you about an exciting CyberWire event. It's the 5th Annual Women in Cyber Security Reception. It's taking place October 18 at the International Spy Museum's new facility at L'Enfant Plaza in Washington, D.C. The Women in Cyber Security Reception highlights and celebrates the value and successes of women in the cybersecurity industry. The focus of the event is networking, and it brings together leaders from the private sector, academia and government from across the region and women at various points in their careers. The reception also provides a forum for women seeking cybersecurity careers to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event. It's just about creating connections.

Dave Bittner: [00:13:03] We're grateful to our sponsors. Here are some of them. Our hosting sponsor is Northrop Grumman. Our presenting sponsors are CenturyLink and Cylance. Our platinum sponsor is Cooley. Gold sponsors include T. Rowe Price, VMware, Accenture Security, ObserveIT, Saul Ewing Arnstein & Lehr and Exelon. The art sponsor this year is ZeroFOX. And if your company is interested in supporting this important event, we still have a few sponsorship opportunities available. If you're interested in getting an invitation to this year's event, tell us a little bit about yourself and request one at our website, thecyberwire.com/wcs. That's thecyberwire.com/wcs. We look forward to hearing from you, and we hope to see you there.

Dave Bittner: [00:13:54] Returning once again as our guest today, we welcome Andrea Little Limbago. She's chief social scientist at Endgame, working at the intersection of global policy and cybersecurity. Our conversation today centers on how cyber capabilities affect international statecraft and warfare, the need to establish norms in cyberconflict and how technical and policy people can do a better job of supporting each other's efforts.

Andrea Little Limbago: [00:14:20] As someone who has more of a political science background but spends my time very much in the information security - and I, you know, work at a serious cybersecurity company - the conversations are really quite different about the impact and the relationship between various aspects of digital statecraft, digital - digital capabilities and warfare and conflict. On the one hand, I'm seeing very much so on the information security - from more of the technology folks - the concern and the right concern of the militarization of the internet and how we're framing things and how - you know, increasingly, we're seeing more and more of the full range and full spectrum of attacks, as opposed to the more utopian vision of what the internet can and hopefully one day will do as far as being a democratizing force, helps civil liberties, those kind of things.

Andrea Little Limbago: [00:15:04] And so those are very, very important conversations. But when you switch over to more - the political science, conflict studies and warfare experts and policy folks, the discussion more so is looking at how the various range of cyber capabilities - and again, they'll focus - they'll call it all cyber. So even some of the terminology is a little different. They'll focus on how cyber is impacting warfare already and evolving really the fundamental and core components of warfare, such as - even the notions of power. How is power shifting, and how is the internet enabling really completely new and distinct constructs of how we think about power during warfare?

Andrea Little Limbago: [00:15:39] So it's a really different conversation. It's more so looking at, you know, how - basically it's taking as an assumed - and again, I think that's also the right way to look at it - that various aspects of, you know, digital inauguration and digital capabilities are going to be - are already serving as a disrupter into warfare.

Andrea Little Limbago: [00:15:57] But the interesting thing on that even is that - you know, with my community, it's more - it's still - it's presented more so as a future scenario, as a, you know, how may it one day impact warfare. You know, doing some of my research, you look back on it - it's really been over a decade now since various aspects of digital capabilities have already been influencing and integrated within warfare.

Andrea Little Limbago: [00:16:15] And so I think that's something that is a little underappreciated and needs to be better understood. Again, so we can prepare both for limiting the militarization of internet as best we could through - can through norms and other forms of agreements, on that one end, but also, you know, making sure that we're prepared in warfare for what to expect.

Dave Bittner: [00:16:31] Now, one thing that I've noticed - and I think noted as well is that there seems to be this resistance to drawing any clear lines when it comes to, as you say, norms when it comes to cyber conflict. It seems like world leaders are reticent to say, if you cross this line, then that is warfare. Do you think that's an accurate description of what we're seeing?

Andrea Little Limbago: [00:16:58] I do. And I think there have been some efforts in the - at the United Nations. A group of governmental experts for a while tried pushing forth norms along those lines. And that fell apart last year - as far as not even open warfare and as far as what's off limits or targets, what's off limits for kinds of behavior, which still also helps establish some of the fundamentals at least in peacetime. You know, there have been declarations that laws of armed conflict apply also to the cyber domain. That still seems a little bit somewhat nebulous as far as whether everyone agrees to that.

Andrea Little Limbago: [00:17:30] There's the Tallinn Manual that defines things a little bit more. But again, it's more - more guidance than a formal regulation or law. So there are these - there are these attempts at it in certain areas, but even a lot of those are very vague. Especially if you look at like NATO, Article 5 now has a cyberattack as part of its - a cyberattack on one is viewed as an attack on all. But it still fails to define really what kind of cyberattack, what kind of effects might it have, what would be the example that instigates the collective security of the alliance.

Andrea Little Limbago: [00:18:00] And so it still remains very - I think states and leaders are very hesitant to really define that red line for many - I think for many reasons. One is, you know, that means other countries or other actors will push up to as far as and as close as possible to that line without - you know, knowing that they would not have any repercussions for it. And then if you do have that red line, as we've seen this, you know, over and over again just in traditional warfare, then it leads to a lot of domestic costs for leaders if it turns out that red line is crossed, and it's not a popular war.

Andrea Little Limbago: [00:18:28] So there are a lot of - you know, it's much more nuanced than just doing a red line or not. But at the same time, we definitely need a lot more structured approaches and various kinds of policy advances to help us evolve and understand when these kinds of acts are - should be treated and responded to with various kinds of statecraft - anything from the range of non-kinetic responses, from the sanctions, the persona non grata, indictments that we've been seeing a lot lately, all the way to when it should be - when it should trigger a militarized response.

Dave Bittner: [00:19:00] What do you wish that the folks on the tech side understood better? What messages do you think they need to know?

Andrea Little Limbago: [00:19:09] Yeah, and that's great. And I wish I had all the answers to that. But you - probably the - actually the interesting thing about that is I think some of it is starting to change. I kind of look at the breaking point - or the sort of the inflection point of our elections in 2016. I feel like prior to that there were really very few news - almost - people were accusing more of the national security folks of being alarmist in many of these areas. But with the election interference, I think that has started changing some folks to understand really the national security threats that are out there.

Andrea Little Limbago: [00:19:36] But that would be - really the overarching one is that - actually probably two different areas. One is to broaden or to expand our understanding of how we view about - view or define cybersecurity or information security. And this is actually a point that Alex Stamos made in a recent interview as well. We really need to expand to think about the full range of ways that, you know, information and various kinds of digital capabilities can be used by attackers, by adversaries.

Andrea Little Limbago: [00:20:04] And so for so long within InfoSec, we focus really on the network compromises - the spear phishing, malware, so forth - I mean, which is understandable. That's good. That absolutely should remain a core focus. But when we look into the broader realm of cyber statecraft - if you want to call it - you've got all the other propaganda and disinformation, data manipulation, all of those kinds of things. And so it does get back a little bit into the confidentiality, integrity and availability of data. All that still is very very true.

Andrea Little Limbago: [00:20:33] But when you think about it broader than just network compromises, if you can think about it as that full spectrum, I think that really impacts how we will start to think about how to defend against it - but also how the people with the tech backgrounds and tech capabilities, what they can contribute to fighting that whole spectrum of attacks as well. Increasingly we're seeing, in different examples - you know, it's not just going to be a hack - you know, a network compromise.

Andrea Little Limbago: [00:20:56] In addition to that - the example I like to give a lot is in Qatar when the - basically when they were the highest tensions in Qatar, which there currently still is a boycott. But there was was a hack of a state media site in Qatar. And then from there, there was posting of disinformation on that media site. And then that disinformation was spread via Twitter bots. And there was basically, you know, bot armies spreading disinformation. And that's kind of the adversary playbook that I talk about that I see occurring more and more - is integration of the disinformation with the hack, with the bots and the automation.

Andrea Little Limbago: [00:21:30] So that's what we need to start thinking about - how can we defend about those - against those areas opposed to thinking about them all the stovepiped because the adversaries don't. They think about it as a full - as full-spectrum information security, you know, and attempts for information control. And so we're not understanding how they're viewing it and what kind of strategies they're using - makes it really hard for us to defend against that. And that's - that'd be one area - just really focusing on those. And then just, again, another area that I would like - I just would like to get more and more of the people with more tech backgrounds just to be talking politics folks - and vice versa. It goes both ways.

Andrea Little Limbago: [00:22:00] So even just the more opportunities we can have - you know, like next year, there might be a law and policy village at DEFCON. I think that'd be a great thing. I hope that happens. But foot soldiers are doing the work for policy, you know, within the military, within the government, within some academic - academia. In talking with them, there still is plenty of collaboration going on more at lower levels of government and lower levels within the military. And so that actually made me - it was heartening actually to hear a lot of those examples that - you know, you just aren't - it's not sensational, right? So it's not going to make the press that, oh, these two groups are, you know, coordinating and collaborating very well. That's just not going to make the news.

Andrea Little Limbago: [00:22:39] So there still is plenty of collaboration still going on. And so that's the nice thing. You know, our democratic institutions are strong, and our alliances are very strong. And so I'm hopeful that they can withstand some of the stress that's going on at the, you know, national leadership levels, you know, across the world. So we'll see - which isn't to say that we shouldn't be concerned. But it's something that, you know, I'm hopeful that we're resilient enough to withstand it.

Dave Bittner: [00:23:00] Interesting times, right?

Andrea Little Limbago: [00:23:01] It is indeed. Absolutely.

Dave Bittner: [00:23:04] That's Andrea Little Limbargo from Endgame. There's an extended version of our interview over on our patriae on page. We'll have a link to it in the show notes for today's episode. Check it out. And that's the CyberWire.

Dave Bittner: [00:23:19] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. Find out how Cylance can help protect you using artificial intelligence. Visit Cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.

Dave Bittner: [00:23:46] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik. Social media editor is Jennifer Eiben. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.