Shamoon variant implicated in Saipem hack. Charming Kitten reappears. Sino-American tension over trade and industrial espionage.
Dave Bittner: [0:00:03] The Saipem hack looks like a new Shamoon variant. Charming Kitten started prowling through relevant places after the Iran sanctions became more serious. U.S. authorities denounce Chinese espionage, especially industrial espionage, but there are as yet no new indictments or sanctions. Concerns mount over Chinese influence operations. And another Canadian may be in Chinese custody, possibly in retaliation for the detention of Huawei's CFO.
Dave Bittner: [0:00:37] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all-image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show.
Dave Bittner: [0:01:34] Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [0:01:37] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 13, 2018. Cyber news today is dominated by reports on what appear to be the activities of two nation states - Iran and China. First, Iran - there's been an update to the story of the cyberattack against offices in the Italian oil field services company Saipem. Reuters reports that the attack delivered a new variant of Shamoon wiper malware. The attack took place over the past weekend and was tersely disclosed Monday. As details have emerged over the course of the week, we are hearing more about how this version of Shamoon differs from the 2012 original.
Dave Bittner: [0:02:21] One apparent difference is cosmetic. The original Shamoon replaced data with propaganda images - burning American flags, jihadist execution pictures - while this one appeared to encrypt rather than destroy data through overwriting. Upon further review, that seems not to be the case. ZDNet reports that it looked as if the data had been encrypted. But in fact, it was simply overwritten with crypto-looking gibberish - garbage data, as an outside analyst told ZDNet.
Dave Bittner: [0:02:51] Another difference seems to lie in the malware's mode of transmission. The original Shamoon samples came with SMB credentials that enabled it to propagate across the targeted network. This has led to speculation that the infection arrived through exploitation of remote desktop protocol. The third significant difference is the absence of a networking component. Unlike its predecessors, this version of Shamoon didn't have a command and control server configured. That suggests it was deployed manually and not, for example, by a phishing email.
Dave Bittner: [0:03:24] Iran is also being mentioned in connection with another cyber campaign, this one directed at more conventional espionage. The AP is reporting today that Iran's Charming Kitten cyber espionage group was sent out to collect against targets that might yield intelligence relative to sanctions the U.S. has reimposed in an attempt to curb Tehran's nuclear ambitions. Charming Kitten, the AP was told by London-based security shop Certfa, went after private email of U.S. Treasury officers involved in sanctions enforcement. Their collection list also extended, the AP says, to high-profile defenders, detractors and enforcers of the nuclear deal struck between Washington and Tehran. They were also interested in Arab nuclear scientists, D.C. think tanks and various Iranian civil society figures.
Dave Bittner: [0:04:17] We spoke yesterday about DevOps and the desire to better integrate security throughout a product life cycle. We get additional perspective today from Aqua Security's Liz Rice, who advocates a notion she describes as shifting left.
Liz Rice: [0:04:32] I guess, traditionally, we often see security seen as something you apply to software that's already been written and patches already been deployed. Quite often, it's a separate security team who really aren't very involved with the development of the software. So if we're talking about shifting left, we're really talking about involving security earlier in the development life cycle of that software. But what we're seeing increasingly in a DevOps world is we need to be able to ship software faster. We need to be able to deploy more frequently. And then that means you can't really just be having the security conversation at the end. It needs to be automated. It needs be part of these automated processes that are deploying software, often, many times a day.
Dave Bittner: [0:05:25] And for a typical security team, how much of a culture shift is this?
Liz Rice: [0:05:30] I think it can be a really big shift, actually, particularly if you think about the world of containers, the world of orchestration. We go from - you know, an organization may have traditionally shipped software four times a year, say. And suddenly, the security team are asked to deal with software that's being deployed, well, as I say, several times a day. And every time you deploy something, there's got to be a question mark over well, what is it that we're deploying? And does it have any vulnerabilities? And how can I, as a security person, take responsibility for software, where, perhaps, it's being run under an orchestrator? So I don't even get to control where the software is run. It's up to an orchestrator to automatically deploy software somewhere in our cluster.
Dave Bittner: [0:06:26] So what are your recommendations for organizations who want to do this, who want to shift security, as you say, more to the left? What's the best way for them to approach it so that it won't have a negative impact on their team?
Liz Rice: [0:06:39] So I suppose it has to be part of a broader discussion of the adoption of DevOps practices. And for any given organization, they really need to understand what it is they're trying to achieve. Usually, in my experience, at least, it's a business desire to be able to shift software more quickly, to be able to deliver functionality to customers more quickly, to be able to be more responsive to change. So I think having everybody onboard with that, you know, with those requirements, with the benefits of moving to this kind of process - if that works for the particular organization, if that's important for them - having everybody understand what they're trying to achieve, and then thinking about it in a manageable way.
Liz Rice: [0:07:30] There are lots of really great stories out there from organizations who have adopted moving to the cloud, moving to cloud-native technologies. So figuring out what you want to achieve, figuring out what your first project, what your journey should look like by trying to learn from other people's experiences and talking to all the stakeholders from the business side, from the developers, from the operations team and from the security team - I think those would be my key recommendations.
Dave Bittner: [0:08:02] That's Liz Rice from Aqua Security.
Dave Bittner: [0:08:06] Chinese cyber-espionage and a growing penchant for influence operations continue to draw attention from nations that feel themselves most directly threatened. Tensions between China and the U.S. remain high, and they're exacerbated not only by continuing conflict over trade but also by a growing suspicion that Chinese intelligence services were behind the very large, long-enduring attack on Marriott that, since 2014, have compromised some 500 million articles of personal information.
Dave Bittner: [0:08:37] Sources close to the investigation, as they say, are telling Reuters and others anonymously that U.S. investigators are close to making a convincing case for Chinese responsibility. It's also been noted that 2014 was a big year for Chinese cyber-espionage. That was also the year of the big OPM breach that scooped up a great deal of personally identifiable information from the U.S. government. Chinese involvement is widely suspected in that case, too.
Dave Bittner: [0:09:06] A new wave of U.S. indictments of Chinese nationals on hacking charges is widely expected, but that hasn't happened yet. An official of the Department of Homeland Security told a Senate panel yesterday that the investigation was still in progress and not ready to move to the next stages. New sanctions are also widely expected, but these haven't materialized either. But the third generally anticipated U.S. response, public denunciation, has happened. And it arrived with some eclat in testimony before the U.S. Senate Judiciary Committee yesterday. Senior counterintelligence officials from DHS, the FBI and the Department of Justice characterize China as a big threat, maybe the biggest threat, to the American economic and technological place in the world.
Dave Bittner: [0:09:53] In committee hearings on nontraditional espionage against the United States, officials outlined a picture of Chinese strategy designed to supplant U.S. leadership. Assistant Attorney General John Demers put it this way. Quote, "the playbook is simple - rob, replicate and replace. Rob the American company of its intellectual property, replicate the technology and replace the American company in the Chinese market, and one day, in the global market," end quote.
Dave Bittner: [0:10:21] The Senate hearings were also noteworthy for mention of influence operations exercised in universities through China's Confucius Institutes - educational and cultural establishments that have, over the past year, received increasing scrutiny as centers of government-directed influence. Russian influence operations have long received the most attention, but there are now suggestions that China is mounting such operations of its own. Beijing's style is quite different from Moscow's, running far more toward economic entanglement and tenditious (ph) cultural exchange than it does toward trolling, cat fishing and opportunistic, gonzo black propaganda. In the U.K., MPs are also warning of Chinese presence in universities. But the British problem is seen as excessive coziness with Huawei.
Dave Bittner: [0:11:11] As noted yesterday, Huawei's CFO Meng Wanzhou has posted bail in Vancouver as she awaits further proceedings that could lead to her extradition to the United States. Feelings over this matter are running high. And in a patriotic direction over in China, authorities there are believed to have taken a second Canadian citizen into custody in apparent retaliation for Ms. Meng's arrest.
Dave Bittner: [0:11:36] It will be interesting to see how various advance fee scammers will make use of the current state of the Meng case. Earlier this week, they were using emails in which someone posing as Ms. Meng or her agent solicited a couple thousand bucks so she could bribe her jailer and escape. She's out now, so that won't be as plausible. A more interesting touch in the scam emails was a veiled promise of romance. That's also probably out the window now that it's generally known that not only does Ms. Meng have a husband, but that said husband is with her and helping her abide by the terms of her release. But let's not underestimate the cunning and imagination of the grifters. Sure, its low cunning. And yes, the imagination is on the mechanical side. But they do find their marks. There's one of those born every minute.
Dave Bittner: [0:12:28] It's time to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. To learn more, check out their newest white paper titled "Threat Intelligence Platforms: Open Source vs. Commercial." As a member of a maturing security team evaluating threat intelligence platforms or TIP, you may be asking yourself whether you should use an open-source solution, like a malware information sharing platform or MISP, or by a tip from one of the many vendors offering solutions. In this white paper, ThreatConnect explains the key technical and economic considerations every security team needs to make when evaluating threat intel solutions to help you determine which is right for your team. To read the paper, visit threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [0:14:03] And I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, it's great to have you back. You had an article on the Naked Security blog from Sophos, and this is about passcodes being protected by the Fifth Amendment. This is a topic we've touched on before. What here is a new and interesting?
Ben Yelin: [0:14:24] So as you know, the Fifth Amendment protects you against self-incrimination. So the government cannot force you to incriminate yourself in the commission of a crime. That's one of our most cherished constitutional protections. In this case, which concerned an underage drunk driver, the government thought they could obtain evidence from the driver's smartphone device. So they asked that driver to enter the passcode into his smartphone. And based on that information, they were able to obtain the conviction. The defendant appealed saying that just asking for that passcode violated his Fifth Amendment right against self-incrimination.
Ben Yelin: [0:15:05] And amazingly, there's been a lot of case law on this. And it comes down to what's called the foregone conclusion exception - or the foregone conclusion standard. So if the government can show that it knows that the defendant knows the passcode, then the Fifth Amendment is not implicated because eventually that person is going to have to open the phone. It is a foregone conclusion. The government has some proof - maybe they've actually seen the individual unlock that phone with that passcode. So it need not go through these Fifth Amendment hoops - or these judicial hurdles to obtain access that information.
Ben Yelin: [0:15:41] What this opinion is suggesting, for the first time - and what I think is very interesting - is that the foregone conclusion doesn't necessarily apply when we're talking about obtaining the contents of information inside the phone. So what the court in this case made clear is that the government doesn't care about the passcode per se. It's very rarely going to be evidence that a person's passcode is 5-6-4-3. That doesn't really matter for police purposes. What matters is the content inside the asylum and whether that content contains information that's incriminating to a potential criminal defendant.
Ben Yelin: [0:16:17] And what the court here is saying is it is not a foregone conclusion in this case that information on this individual's phone was going to have relevant information to that person's prosecution. At the very least, the government didn't prove, with any level of certainty, that they knew what was on the phone - they knew what they were looking for, and that information was going to lead to the defendant's conviction.
Ben Yelin: [0:16:39] So this raises the suggestion - and, again, it's just one court, and it doesn't necessarily apply nationwide - that there's going to be a higher standard as it applies to the government trying to unlock devices. They will now have to show, with some level of particularity, that there is something on that device - a piece of information that they know is there - in order to unlock it. Otherwise, the defendant has a valid right against self-incrimination. So if we see this applied elsewhere, I think it would have a major impact on law enforcement. I mean, because we collect so much in our smartphone, and it contains every last iota of information about us, these are, you know, evidence Valhallas for law enforcement. And if it's harder for them to get access to these devices, then I think that Fifth Amendment right against self-incrimination will have more meaning in the digital age.
Dave Bittner: [0:17:37] You know, it's interesting because this runs contrary to what I had believed or thought, which was that - you know, we've talked about how they could compel you with biometrics. You know, they could force you to use your fingerprint to unlock your phone, but they couldn't force you to reveal a password. And what you're saying here is that, no, they could compel you through a court order to reveal that password.
Ben Yelin: [0:18:00] They could - not according to this particular court's holding.
Dave Bittner: [0:18:05] Right.
Ben Yelin: [0:18:05] But several courts have basically upheld that if the government has reason to believe that, you know, that person can unlock their phone, then that does not count as testimonial evidence. And under this foregone conclusion standard, then, you know, the criminal defendant is just going to be out of luck in those circumstances. They will have to unlock their phone. If they're not, they're going to be held in contempt. And that's the exact thing that this Fifth Amendment right of self-incrimination is trying to avoid. You have these situations where - you know, let's say you have incriminating information on your phone, and you are asked to reveal it. You basically have two options. You do not reveal it, and you're held in contempt. Or you do reveal it, and, you know, you're going to be convicted of a crime.
Ben Yelin: [0:18:52] And that's exactly why we have the Fifth Amendment right against self-incrimination. We don't want to put people in that situation. So you know, one thing I would say about biometrics - in the equivalent of the physical world is something like a police lineup, where you are identified affirmatively by a witness. And that does not count as testimonial evidence for the purposes of the Fifth Amendment because you're not really revealing anything about yourself. You're just, you know, showing your face to somebody. So I think that's why, at least to this point, courts have analogized biometrics facial recognition to that non-digital standard.
Dave Bittner: [0:19:28] All right. That's interesting. Ben Yelin, thanks for joining us.
Ben Yelin: [0:19:32] Thank you.
Dave Bittner: [0:19:37] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsors, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [0:19:56] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at VMware.com
Dave Bittner: [0:20:05] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.