Dave Bittner: [0:00:03] Huawei's CFO remains in Canadian custody, perhaps to be extradited to the U.S. All Five Eyes have now expressed strong reservations about Huawei away on security grounds. They've been joined in this by Japan and the European Union. Proofpoint sees a shift in cybercrime toward more carefully targeted and thoughtful social engineering. Kaspersky describes DarkVishnaya, a criminal campaign using surreptitiously planted hardware to loot Eastern European banks. And New York Times national security correspondent David E. Sanger joins us to discuss his latest book, "The Perfect Weapon."
Dave Bittner: [0:00:47] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And, like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report, "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show.
Dave Bittner: [0:01:44] Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [0:01:48] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 7, 2018. China has demanded that Canada release Huawei's CFO, Meng, from custody, but in custody she seems likely to remain. Canadian police arrested Ms. Meng in Vancouver as she was transiting through the city's airport. The decision to arrest her was a Canadian decision. Prime Minister Trudeau says it was a judicial matter and properly conducted by an independent judiciary. The arrest appears to have been opportunistic rather than well-planned in advance. It's not known if an Interpol red notice was out for Ms. Meng.
Dave Bittner: [0:02:31] The U.S. is generally expected to seek Ms. Meng's extradition, hearings for which could occupy weeks or even months. Canada and the U.S. have an extradition treaty of longstanding, one of whose provisions is that the crime charged must be a crime under the laws of both countries. In any case, Huawei has politely expressed its confidence in Canadian and American justice.
Dave Bittner: [0:02:57] The U.S. is investigating not only violation of sanctions imposed on Iran but financial crimes, as well, specifically involving money laundering. Huawei is thought to have used HSBC as a conduit for illicit transactions with Tehran. HSBC was fined and entered into a deferred prosecution agreement with the U.S. Justice Department back in 2012 in connection with violations of U.S. sanctions and money laundering laws. The arrest is taken as a strong signal of U.S. determination to enforce sanctions. It's also believed likely to sharpen the ongoing Sino-American trade war, with IT market leadership at stake.
Dave Bittner: [0:03:38] Observers wonder whether China will retaliate for U.S. measures against Huawei and ZTE and Russia for Kaspersky's exclusion from U.S. government systems with their own legal or extralegal action against U.S. companies. Such a response from China would be more troubling than one from Russia. Trade ties and technology interconnection is much more pronounced with China.
Dave Bittner: [0:04:02] And, of course, Huawei remains under suspicion in all Five Eyes of posing a security risk. The U.S. intelligence community has regarded the company as a deniable cat's paw for Chinese intelligence services since at least 2010. Australia has been close behind the U.S. in voicing extreme skepticism about the company. This was seen in Australian efforts to prevent Huawei from participating in a telecommunications cable service being established in Papua New Guinea and in recent moves to exclude Huawei from Australia's 5G network buildout. Mike Burgess, head of the Australian Signals Directorate, warned just this week that Huawei's devices could pose a threat to water and power infrastructure were they to be used in those networks.
Dave Bittner: [0:04:47] New Zealand put similar restrictions in place over the past week. BT, the British telecommunications giant, has announced it's dumping Huawei equipment, to the chagrin of some British business partners of Huawei. And MI6 director Alex Younger warned in a speech Monday that cell towers and other communications infrastructure could be vulnerable to compromise. He told an audience at St. Andrews University, quote, "we need to decide the extent to which we are going to be comfortable with Chinese ownership of these technologies and these platforms in an environment where some of our allies have taken a very definite position," end quote.
Dave Bittner: [0:05:25] Canada may be the last of the Five Eyes to reach this conclusion, but it seems to be moving swiftly in that direction. Nor is such suspicion confined to the Five Eyes. Japan has decided to exclude both Huawei and its smaller competitor, ZTE, from government contracts. And this morning, the European Union's technology commission warned that Huawei constituted a threat, specifically citing the risk of mandatory backdoors installed in its equipment at the behest of Chinese intelligence services. Huawei, of course, denies that it does any of this, but sentiment is running strongly against Chinese hardware manufacturers.
Dave Bittner: [0:06:06] A large Chinese information operations campaign seems already to form part of a response. The Guardian has a long account of an image-building campaign Beijing is conducting to shift the center of world civilization in the direction of the Middle Kingdom. This involves purchasing and operating media outlets, such simple stuff as putting paid content into newspapers - those inserts you see, like Shanghai is open for business or young entrepreneurs of Guangdong welcome you - cultural centers and so on. This presents a contrast with the shadowy trolling and false fronts characteristic of Russian information operations. It will be worth watching to see what success the Chinese campaign has.
Dave Bittner: [0:06:50] Turning to more ordinary stories of cybercrime, Proofpoint warns of an emerging threat to U.S. retailers. TA505, as Proofpoint calls the criminal group behind Locky and Dridex ransomware campaigns, uses highly personalized attachments in a phishing campaign that spreads remote manipulator system and FlawedAmmyy malware, rats and backdoors. The attachment is typically a malicious Word document that represents itself as a scan. The personalization consists of making the document look as if it came from the company being targeted, which, of course, makes it more likely that an employee might open it. One aspect of the personalization is including the company's logo in the document lure.
Dave Bittner: [0:07:34] Proofpoint sees this an instance of a shift in the criminal market. TA505 had, through 2017, been a black market leader with massive phishing campaigns. And shouldn't there be some related metaphor for that kind of phishing? - something related to bottom trawling, perhaps. Those massive indiscriminate efforts - Proofpoint mentions smash-and-grab ransomware campaigns - are less common because they're less profitable. Some of that is due to increased general awareness of commonplace phishing tactics. Some of it may be due to the way Altcoin values have cratered in 2018. In any case, more effort, better targeting, smaller scale and more thoughtful engineering seem to be the trend.
Dave Bittner: [0:08:19] Kaspersky Lab describes a crime wave it's investigating that's cost Eastern European banks millions. ZDNet calls it Hollywood hacking because it uses the kind of techniques one usually sees in a heist or caper movie but far less often in real life. In this case, the criminals physically enter a bank, attach small, cheap hardware to the bank's networks, leave the devices in place and then retire to remotely drain funds.
Dave Bittner: [0:08:45] The hardware normally used is either a cheap laptop, a Raspberry Pi board or a Bash Bunny malicious thumb drive. Kaspersky won't name the affected banks because of security and nondisclosure concerns. But they say the losses have been high. Of the three kinds of hardware the criminals are using, the laptops are, obviously, the easiest to spot. But even those go unnoticed. A Raspberry Pi or a Bash Bunny are much easier to deploy unobtrusively. Kaspersky says the criminal operations, which it calls collectively DarkVishnya, have been going on since last year. It's worth reminding people that physical security often intersects cybersecurity. DarkVishnya is a good example of how.
Dave Bittner: [0:09:35] Now a moment to tell you about our sponsor ObserveIT. It's 2018. Traditional data-loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time consuming to maintain and too heavy on the endpoint. They are high maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats. And it's extremely difficult even for the most technical users to bypass. Bring your data-loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [0:10:44] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, today I want to touch base with you about go bags. Now, I'm not going to say whether or not I actually have a go bag in my house if I need to get out of town in a hurry. But when it comes to incident response, you're making the case that a go bag is something that, perhaps, you need to have in your arsenal.
Justin Harvey: [0:11:07] That's exactly right. A go bag is not just for your consulting incident response team, which I run. But it's also - could be for your incident responders in commercial and government clients or companies as well. In our go bag - we could be called at any point to get on a plane and travel halfway around the world in order to respond to an incident. So it's important that we have everything lined up, ready to go just like you see in the movies with, let's say, the FBI hostage rescue team. They've...
Dave Bittner: [0:11:39] (Laughter).
Justin Harvey: [0:11:39] ...Got their go bags. Well, at a cyber level, we've got the same thing.
Dave Bittner: [0:11:42] Yeah.
Justin Harvey: [0:11:43] And it goes beyond having (laughter) packed several outfits and so on. We also travel with technology that help us accelerate our work. So we've got the tools that we use. So we have our own USB drives that have all of our tools, our forensic collection kits, our endpoint detection response software. We also are quite heavy users of Splunk, so we've got that in our arsenal as well, on our laptop, ready to go. And in fact, many of us travel with several laptops - up to two or three at a time. So we've got our normal corporate laptop, and then we've got our analysis, our beefy laptop that has ungodly amount of CPU and disk and memory, ready to do a forensic analysis.
Dave Bittner: [0:12:30] So you're the guys I don't want to get behind at the airport.
Justin Harvey: [0:12:33] (Laughter) Yes. Although, a lot of times our go bags are in what we call the Pelican cases. These are hard-shell cases...
Dave Bittner: [0:12:42] Sure.
Justin Harvey: [0:12:42] ...That look like something you'd ship a weapon or very expensive audio-visual equipment in. And that holds a lot of our encrypted USB drives that have little PIN codes on there, so we don't have to remember, oh, yeah, did that - did our team member encrypt that driver? We take data privacy and the communication of data safely very seriously. So we don't leave it up to the user to encrypt the USBs. We do it ourselves with the PIN pads.
Justin Harvey: [0:13:11] We also travel many times with what we call minions. These are suitcase servers, probably about the size of a 20-inch monitor and a little bit thicker than that. And it has a monitor built into it. Sometimes they make them with keyboards that flip down out as well. And these have the power of about 10 laptops. If we need to run Splunk for all of our forensic investigations, if we need to load up to a hundred forensic images to do analysis, we can do that on the minion. And they're very portable.
Justin Harvey: [0:13:45] And if that is not enough, we also have a refrigerator-sized - actually, a half-refrigerator-sized rack mount server that we can actually ship out via FedEx or UPS to get to the client side if we need to do additional analysis. In addition to that, our go bags also have write blockers and technology designed to do quick forensic collection amongst systems in the enterprise, as well as things that you wouldn't really necessarily suspect to be in a go bag, things like projectors.
Justin Harvey: [0:14:20] You never know where in the world we're going to go or if we're going to be in a war room without the ability to project on the wall. So we travel with projectors as well, including several other types of mobile technologies. For instance, mobile phone collection kits we have in addition to your standard array of networking gear.
Justin Harvey: [0:14:43] So sometimes we've got little TAP SPAN port hubs so that we can deploy in the field and start to get to collect network forensic data in addition to our own ability to phone home. So clearly, our own wireless access points to be above and outside of the network that we're working at in any given client.
Dave Bittner: [0:15:07] I'm imagining you rappelling in from a helicopter. That's the vision I have in my mind's eye. It's not too far off from that, I suppose.
Justin Harvey: [0:15:14] Not too much. I think we have our helicopter on order. So we'll hopefully get delivery of that next year.
Dave Bittner: [0:15:21] Right. See if you get budget approval on that one.
Justin Harvey: [0:15:23] Exactly.
Dave Bittner: [0:15:23] All right. Justin Harvey, thanks for joining us.
Justin Harvey: [0:15:26] Thank you.
Dave Bittner: [0:15:31] And now a few words about our sponsor, our friends in the technology news world, Techmeme. You probably know Techmeme from their curated online comprehensive view of all the day's tech news. And now, they also produce the "Techmeme Ride Home" podcast. If you like the CyberWire and you're looking for even more technology news, "Techmeme Ride Home" is the podcast for you. We're fans, and we think you'll like it too. It's 15 to 20 minutes long and hosted by veteran podcaster Brian McCullough. You may know Brian from the "Internet History podcast." The "Ride Home" distills Techmeme's content into, well, the kind of things you'd like to listen to on the ride home - headlines, context and conversation about the world of tech. It posts every weekday afternoon around 5 p.m., great for afternoon drive time in the U.S. Be sure to search your favorite podcast app for "Ride Home" and subscribe today. That's the "Techmeme Ride Home" podcast. And we thank the "Techmeme Ride Home" podcast for sponsoring our show.
Dave Bittner: [0:16:36] My guest today is David E. Sanger. He's national security correspondent and senior writer for The New York Times. He's the author of several bestselling books on national security and foreign policy, the most recent of which is "The Perfect Weapon: War, Sabotage and Fear in the Cyber Age."
David E. Sanger: [0:16:54] Cyber has emerged over the past 10 years as the primary way that countries seek to undermine and compete with each other in a short-of-war way. And by short of war, I mean attack each other, spy on each other, manipulate each other using techniques that are not likely to bring about a major military conflict. And that's why the book is called "The Perfect Weapon" because cyber is cheap. It's deniable. It's easily targeted. You can dial it up, and you can dial it down. In other words, it's the opposite of a nuclear weapon. You can actually control its effects and target it very carefully. And it can sometimes be difficult to figure out where it is that an attack came from.
David E. Sanger: [0:17:46] And so my fascination, as somebody who has covered national security for many decades, been a foreign correspondent for the Times, covered national security and foreign policy in Washington for many years, has been the emergence of a technology that is as game-changing as the invention of the airplane was, in some ways as game-changing as the invention of the atom bomb was but very different ways, as a new power of influence and a leveler because it's so cheap. It allows much weaker and smaller and broke countries to challenge far more powerful ones.
Dave Bittner: [0:18:26] To what degree do nations respect the capabilities of each other when it comes to the cyber domain? Again, I'm thinking about with nuclear weapons. You test a nuclear weapon or even as they were used in World War II, well, that's a pretty big demonstration of the capabilities of these weapons. And it strikes me that I don't know that we've seen a similar test or a demonstration of capabilities in the cyber domain. It seems to me that it's more possibilities so far. Is that - is my perception accurate there?
David E. Sanger: [0:18:59] Close, but not entirely. So you're absolutely right that the nuclear age began with a far larger and more fearsome demonstration of power. And it actually affected how we thought about and dealt with nuclear weapons for the succeeding 70 years because after Hiroshima and Nagasaki, there was no value in hiding what our capability was. Everybody knew what our capability was. We knew what our capability was. But we had demonstrated it to the world. And thus, we could sort of have an open debate about how we wanted to go use that capability. And that debate ended up in a completely different place than it started, right? I mean, you had MacArthur wanting to use nuclear weapons against North Korea and China. During Vietnam, as we now know, General Westmoreland wanted to bring nuclear weapons into South Vietnam in case he needed to use them in North Vietnam.
David E. Sanger: [0:19:52] But by the late '70s and '80s, we had, basically, decided we would only use nuclear weapons as a matter of national survival. In cyber, we've never had our Hiroshima and Nagasaki moment. So what's happened is countries believe that if they talk much or demonstrate much of their cyber activities or even admit to them, that somehow, it impedes their power by revealing too much. I, actually, think the opposite is the case. It's one of the reasons it's gotten in the way of our deterrence.
David E. Sanger: [0:20:25] Perhaps the biggest case where the issue of respecting another nation's powers have come along has been in the election hack, where President Obama thought about retaliating against the Russians when it became clear that they had been behind the hacks of the DNC and John Podesta's email and so forth. But he hesitated, as I describe in the book, because of the fear that the Russians would come back on Election Day. And when they did, they might attack the actual voting machines.
Dave Bittner: [0:20:55] Now, one of the things that you advocate in the book is this notion of creating sort of a Geneva Convention framework for cyber arms control. Where are we when it comes to establishing those sorts of norms?
David E. Sanger: [0:21:09] The very early stages, and most of it hasn't been terribly successful. There was an early effort that I was impressed with that was done by the United Nations, a group of experts. But that floundered about a year ago with the Russians and the Chinese getting in the way of it. The United States itself is part of the problem here. And the thought of a Geneva Convention is, initially, somewhat appealing because treaties don't work in the cyber age. There's just too many players, and many of them are non-governmental actors who don't sign treaties - you know? - criminal groups, teenagers, all sorts of patriotic actors. So having an agreement between the United States and Russia and China wouldn't get you very far.
David E. Sanger: [0:21:56] But having a sort of understood code as the Geneva Convention tries to protect civilians in ordinary combat is another matter because while it's unenforceable, it begins to set a norm of behavior. And that norm's important. It's the reason some people get dragged up in front of the criminal court - right? - in the Hague. In the digital world, the idea of a digital Geneva Convention would be, again, to protect civilians, to sort of say what targets should be off limits. And if we were making a list, we could come up with some - election systems, the electrical grid, hospitals, nursing homes, emergency communications systems. You can think of a pretty good list. The problem with that is I suspect that even the U.S. intelligence community would object to signing the U.S. up to those because they would say, do you want to limit the president if he thinks that he can avoid a war by messing with another country's elections?
Dave Bittner: [0:22:57] Where do you see this going? How do you see it playing out? When you look toward the horizon, where do you see - where do you think we're going to find ourselves in the coming years?
David E. Sanger: [0:23:06] That's a really good question. This is accelerating dramatically as a weapon for states, as a defense - set of defensive measures. And the problem's growing more complex, of course, by the Internet of Things. If we think that we have 12 or 13 billion Internet of Things devices now, it'd probably be well over 20 billion by 2020 by most estimates. All of those increase the attacks base that countries can attack.
David E. Sanger: [0:23:39] We have to think of ourselves right now as sort of at the end - where we were in air power at the end of World War I. We knew the airplane could fly. We knew that there had been some skirmishes in the air - the Red Baron, people up against the German early airplanes during World War I. But the weapon had not been decisive. It didn't become decisive until World War II. You have to think of cyber in sort of the same terms. We've seen the early skirmishes. We haven't seen the true capabilities of the weapon.
Dave Bittner: [0:24:12] Our thanks to David E. Sanger for joining us. The book is "The Perfect Weapon: War, Sabotage and Fear in the Cyber Age."
Dave Bittner: [0:24:24] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [0:24:43] And thanks to our supporting sponsor VMWare, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [0:24:52] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.