Seeding-attack skepticism. MSS officer arrested, will face industrial espionage charges in the US. Russia says again that it didn't hack the OPCW.

Dave Bittner: [00:00:00] Hey, everybody, just a quick reminder that it is Thursday, which means there's a new episode of our "Hacking Humans" podcast released today. That's the show where each week we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. It's hosted by me, and I'm joined by my buddy Joe Carrigan from the Johns Hopkins University Information Security Institute. We hope you'll check it out. That's the "Hacking Humans" podcast. Thanks.

Dave Bittner: [00:00:31] The report of Chinese supply chain seeding attacks comes in for more skepticism. NSA never heard of it, and Congress would like some answers. The U.S. has an officer of Chinese MSS in front of a Cincinnati court on charges of industrial espionage. He was extradited this week from Belgium. We've got notes on officers and agents. And Russia repeats denials of hacking the Organization for the Prevention of Chemical Warfare.

Dave Bittner: [00:01:04] And now a word from our sponsor Wombat. When it comes to security, it doesn't matter how deep your moat is or how high your castle walls are if an unaware employee lowers the drawbridge for cybercriminals. Ninety percent of attacks now start with phishing and social engineering to gain access to systems and data, so educating your employees to spot and defend against these threats is more crucial than ever. Wombat Security, a division of Proofpoint, is the leading provider of information security awareness and training software designed to educate your employees to identify social engineering and protect your organization. Through phishing simulation and knowledge assessments, Wombat paints a picture of where your employees are vulnerable and changes their risky behaviors through highly effective interactive training. Born from research conducted at Carnegie Mellon University, Wombat's suite of training covers topics from phishing and social engineering to physical and office security and even compliance topics like GDPR. And now, through an integration with Proofpoint's world-class threat intelligence, Wombat is leading the way with phishing simulations and content based on the latest emerging threats. Don't let cybercriminals into your castle. Transform your employees from risky to ready with Wombat Security. To learn more, visit wombatsecurity.com/cyberwire. That's wombatsecurity.com/cyberwire. And we thank Wombat for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:02:40] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, Oct. 11, 2018. Bloomberg's report of a large-scale Chinese seeding attack on the hardware supply chain has yet to find much corroboration. As we noted yesterday, Bloomberg itself cited a Maryland security firm, Sepio Systems, willing to say that it had found the Chinese spy chips in some Supermicro motherboards used in one of its client's servers. But it can't say where it found them because of nondisclosure agreements with that company. It can only say that it was a telecommunications company.

Dave Bittner: [00:03:18] To review, Apple, Amazon and Supermicro, the three companies named in the original story, have all categorically denied that the hardware they used - or, in the case of Supermicro, produced - was compromised by an illicitly installed chip. Both Britain's GCHQ and the U.S. Department of Homeland Security say they have no reason to doubt those denials, and DHS has also said it's not conducting any investigation into the alleged seeding attack on the supply chain.

Dave Bittner: [00:03:47] NSA's Rob Joyce, the agency's senior adviser for cybersecurity strategy, is the latest official to cast doubt on the report. At an event in Washington yesterday organized by the U.S. Chamber of Commerce and RealClearPolitics, Joyce said, quote, "there's no there there," end quote. That is, he hasn't seen any evidence that the supply chain attack took place. He pointed out the denials by Apple, Amazon and others should count for something since their directness and specificity would expose the companies to considerable legal risk if the denials were untrue. As he said in response to a question from The Wall Street Journal, quote, "what I can't find are any ties to the claims in the article. We're befuddled. If someone has first-degree knowledge, can hand us a board and point to somebody in a company that was involved in this as claimed, we want to talk to them," end quote. So it appears NSA doesn't see the malicious chip either.

Dave Bittner: [00:04:45] Congress is pushing its own investigation. Apple has already sent the Senate a letter, and senators Marco Rubio, a Republican from Florida, and Richard Blumenthal, a Democrat from Connecticut, have asked Supermicro to reply to a series of questions about the alleged incident. Senator John Thune, a Republican of South Dakota, requested staff briefings from Apple, Amazon and Supermicro by Friday. In the House, Oversight committee chair Representative Trey Gowdy, Republican of South Carolina, and Intelligence Committee chair Devin Nunes, Republican of California, have asked for classified briefings on the matter from the FBI, DHS and the director of national intelligence. They want those briefings by Oct. 22.

Dave Bittner: [00:05:29] More will therefore probably come to light over the next two weeks. But for now at least, the best most other parties can say about the Bloomberg story is that it's not proven. Others are harsher. Security firm Malwarebytes calls it the Bloomberg blunder. Google security researcher Tavis Ormandy tweeted his skepticism by saying that this is starting to feel like chem trail territory. And two experts quoted in the story, Joe Grand of Grand Idea Studio and Joe FitzPatrick of hardware security resources, both say their statements were taken out of context and don't in fact support the reporter's conclusions - so at best not proven and increasingly looking as if the story won't be. Bloomberg continues to stand by its reporting.

Dave Bittner: [00:06:18] Security firm Varonis recently surveyed both IT and C-suite professionals to gauge their perceptions on data breach prevention. Brian Vecci is technical evangelist at Varonis, and he joins us with what they found.

Brian Vecci: [00:06:32] Ninety-one percent of IT and cybersecurity pros believe that their organization is making progress when it comes to cybersecurity while the C-suite was less positive. Only 69 percent agreed with the same thing. More than half of C-suite respondents and about half of IT and cyber pros identify data loss as their number-one priority - number-one concern, I should say, followed by data theft.

Brian Vecci: [00:06:57] But their - the - what they thought was the third priority differed a little bit. Cybersecurity pros are - and IT pros are really worried about ransomware, which has been one of the biggest scourges recently. And C-suite executives are more worried about data alteration, which I think is pretty interesting.

Dave Bittner: [00:07:11] What do you think is the source of that little disconnect there between the IT pros thinking that they're making progress and the C-suite maybe not thinking they're as far along?

Brian Vecci: [00:07:21] I think that's probably the most interesting thing that's come out of this survey, is that kind of discrepancy between IT and security pros thinking, hey, we're making big investments in technology and cybersecurity, and we're making some pretty big progress with regards to our security posture. C-suite executives don't seem to share that same view. And I think it comes from how we measure the ROI, the return on investment, for security spending. And it also comes with how we measure or tend not to measure the risk associated with data loss and data theft.

Brian Vecci: [00:07:59] You know, for C-suite executives, one of the - the sense that we get from this survey is that security's kind of a binary situation. You've either been breached or not. And what was interesting is that the C-suite executives believe that the biggest issue with cybersecurity is recovery costs. You know, if you get breached, how expensive is it going to be to clean things up? Whereas IT and cybersecurity pros are more concerned with reputational and brand damage - how is this going to affect our business? In some cases, is this going to, you know, mean the end of the business completely?

Brian Vecci: [00:08:37] And I found that really, really interesting. It's the IT pros that realize these security issues have really deep connections with how the business is run, while C-suite executives think, well, we really just have to worry about the recovery costs. And I think that's because cybersecurity pros and the security community in general hasn't yet done a really good job of showing business leaders the measurable risk and risk reduction of security investments and what security actually means for their business.

Dave Bittner: [00:09:08] So how do you suppose the cyber pros go about bridging that gap?

Brian Vecci: [00:09:13] I think it's kind of a messaging issue. It's - cyber pros have to do a better job of explaining to business leaders and showing them not only the scale of the problem, but exactly how investments in cybersecurity can make a measurable difference in their business. I spent some time recently with a group of CIOs. And we had a really interesting conversation about this that was based on investments related to the GDPR, which, as I'm sure you know, is the EU General Data Protection Regulation. And this group of CIOs is in the United States. And they were kind of split on whether they had a real mandate to make big changes to their organizations from a technology perspective because of a law that may or may not affect them.

Brian Vecci: [00:10:05] And one of the things that came out as part of that discussion was, you know, there are going to be real costs with putting the kinds of controls in place to keep data private that the GDPR mandates. And should we do this now, even if maybe as an organization we're not subject to these kinds of controls? Or should we wait until, for instance, the California Consumer Privacy Act goes into effect, and we have a real mandate to do it? Some CIOs and some business leaders are thinking that way.

Brian Vecci: [00:10:31] But others are realizing that, you know, putting the kind of controls that the GDRR says you need to have when it comes to data, which is really just treating personal information as something that's kind of valuable and not something that you can just throw in a junk drawer and not worry about - which is how many organizations have treated data in the past - could give them a competitive advantage because who wants to do business as a consumer or as a business partner with an organization that doesn't take data privacy and security seriously?

Brian Vecci: [00:11:00] But how we measure the effect of those investments and how we measure the risk of not doing anything, just to boil things down to their simplest forms, is something that IT and cybersecurity pros haven't been great at. And it shows up in the results of these surveys where C-suite executives don't see the same kinds of results that IT and cybersecurity pros see when it comes to security investment.

Dave Bittner: [00:11:24] That's Brian Vecci from Varonis. You can find the results from their data breach prevention survey on their website.

Dave Bittner: [00:11:32] In the first incident of its kind, an officer of the Chinese intelligence service the Ministry of State Security, MSS, is in U.S. custody facing hacking charges. Yanjun Xu, a deputy division director in MSS' Jiangsu State Security Department, Sixth Bureau, was apprehended by Belgian authorities in April and extradited to the U.S. on Tuesday. The Department of Justice says he'll be tried for conspiring and attempting to commit economic espionage and steal trade secrets from multiple U.S. aviation and aerospace companies. It's an industrial espionage beef. And it will be tried in Cincinnati near where the alleged attempted theft of trade secrets from GE Aviation occurred.

Dave Bittner: [00:12:16] Xu used traditional espionage approaches as opposed to more 21st-century cyberattacks. He would attempt to recruit U.S. agents by offering them, for example, invitations to academic conferences at Jiangsu and then work on them to deliver the information the MSS was after. He himself was apprehended using traditional counter-espionage approaches. U.S. officers lured him to Belgium, where Belgium authorities arrested him on the U.S. warrant. The Washington Post reports that Xu's case is linked to that of Ji Chaoqun, a Chinese citizen living in Chicago.

Dave Bittner: [00:12:52] China's reaction has been relatively moderate. The Post reports that the foreign ministry said the indictment was made of thin air but that they expect the U.S. to deal with Xu fairly in accordance with law respecting his legitimate rights and interests. Some observers suggest that the arrest, trial and extradition of a Chinese intelligence officer will prompt strong Chinese retaliation in cyberspace, and perhaps it already has. U.S. officials this week have been naming China as the principal cyber threat, worse than Russia, which itself is pretty bad.

Dave Bittner: [00:13:28] A quick note as we follow these stories on the difference between an officer and an agent. An officer is someone who works for an intelligence service as a regular employee. An agent is someone that an officer might recruit to spy for that service. Thus, Aldrich Ames, currently serving life for espionage in a U.S. federal prison, was an American officer - he was employed by the CIA - but a Russian agent. He spied for the KGB and its successor agencies. Xu is an MSS officer.

Dave Bittner: [00:14:00] Threat intelligence firm Recorded Future contrasts the Russian and Chinese hacking communities - respectively, thieves and geeks. This is from its analysis of their online hacking communities. Part of the difference lies in China's relatively greater separation from the two countries' mostly Western targets. There's not only the barrier of the great firewall but also the separation imposed by quite different language families. And of course, there are cultural issues as well. Russia makes use of traditional criminals to serve the state as they enrich themselves. China uses its security services to help enrich the state.

Dave Bittner: [00:14:38] And finally, TASS is authorized to declare that Russia strongly denies having hacked the Organization for the Prevention of Chemical Warfare. They were framed, Moscow says, by Dutch security services probably in cahoots with their Anglo-American masters. We await further clarity about the GRU hackers and Novichok specialists and their interests in Stonehenge, tulips, windmills and canals.

Dave Bittner: [00:15:14] And now a word from our sponsor. Who's that sponsor, you say? Well, it's none other than the mysterious team behind the spectacularly successful F.A.K.E. Security booth at RSA 2018. You remember. It was the one with no vendor name, no badge scanning and the charismatic snake oil salesman pitching his imaginary cybersecurity cures for all that's ailing businesses around the world. So who was behind that booth? Why did they do it? Who's really sponsoring our show today? Get the answers you've been dying to hear and hear the story behind the booth at fakesecurity.com/cyberwire. That's fakesecurity.com/cyberwire. And we thank whomever it is for sponsoring our show.

Dave Bittner: [00:16:08] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, it's good to have you back. We have been going through a couple of interesting cases that came through Florida recently, and there was one that had to do with cell-site location information. Bring us up to date. What's going on here?

Ben Yelin: [00:16:28] Sure. So this is another Court of Appeals decision from the state court in Florida. And it was actually a cell-site location information case dating back to 2001, the early days of cellular telephones, or maybe the Middle Ages of cellular telephones. And what happened is the government was able to use cell-site location information to locate a person charged with first-degree murder. That person was convicted largely based on the evidence gained through that cell-site location information. Then, this year we had a Supreme Court decision in Carpenter v. United States which informed us that the government needs a warrant to obtain cell-site location information.

Ben Yelin: [00:17:12] Now, usually this is not a problem for law enforcement. There's this thing in the legal world and the Fourth Amendment world called the good faith exception. If the government is relying on clear rules that are in place at the time, the conviction will stand even if those rules are subsequently changed by the Supreme Court. So if something was legal in 2001, and the Supreme Court suddenly decides it's illegal in 2018, traditionally that means the conviction can't be overturned. The law enforcement was working with the tools that they had been given.

Ben Yelin: [00:17:48] That is actually not the case here because in this case, there was no legal doctrine at all in this area of the law. There was no decision saying that a warrant is not required for cell-site location information. And in the absence of any sort of guidance, the good faith exception can't apply. So this person is going to be granted a new trial, and the state will have to use evidence that wasn't gleaned from the historical cell-site location information.

Dave Bittner: [00:18:17] So a retroactive decision of - what? - a decade and a half or so back.

Ben Yelin: [00:18:25] Yeah. It's probably (laughter) very devastating for the prosecutors and for the attorney general of the state of Florida. But, you know, this is what happens. When the Supreme Court decides that we have a reasonable expectation of privacy and information gleaned from a certain type of technology, then the end result is going to be that some undesirable people, people who have committed heinous crimes, are either going to be set free or going to get their day in court. And, you know, traditionally the good faith exception allows us to avoid these types of situations. But since there was no prevailing law on the question of warrants for cell-site location information, the state is really out of luck here.

Dave Bittner: [00:19:06] All right. Well, it's fascinating to track along with it. Ben Yelin, thanks for joining us.

Ben Yelin: [00:19:11] Thank you.

Dave Bittner: [00:19:15] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Dave Bittner: [00:19:23] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:19:50] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.