Dave Bittner: [00:00:03] There's more skittishness about Chinese hardware manufacturers. We'll explore information operations in Taiwan's elections. EU diplomatic cables have been hacked, rehacked and published - dumbing down cyber craft as a form of misdirection. More Facebook data sharing practices come under scrutiny. NASA PII has been exposed. The investigation continues. And did you hear the one about the parrot, Alexa, Amazon orders and sappy dance tunes?
Dave Bittner: [00:00:39] Now a word from our sponsor Shape Security. Last year, 2.3 billion usernames and passwords were reported as compromised. It says everyone in America had passwords stolen for not just one but seven online accounts. And that's just the data reported last year. It can take years for a credential spill to be reported if it's discovered at all. Why do these spills matter? Two words - credential stuffing. Attackers take those spilled usernames and passwords and try them on every log-in form imaginable. Because users recycle passwords, up to 3 percent of stolen credentials will be valid on a typical website or mobile app. Once they're in, attackers steal whatever they can get from gift cards to frequent flyer miles. And it adds up. This year, credential stuffing will pull nearly $9 billion from our banking, travel and e-commerce accounts. But there's hope - as consumers, use unique passwords. As organizations, join Shape Security's collective defense platform because together, we can defeat account takeovers. To learn more, visit shapesecurity.com. That's shapesecurity.com. And we thank Shape Security for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:02:00] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, December 19, 2018. Skepticism about Huawei and, to a lesser but noticeable extent, ZTE hardware continues to rise. There are calls in India for restricting the use of the Chinese company's devices in that nation's networks. And the U.S. diplomatic push to warn allies against the security threat it sees in these manufacturers continues.
Dave Bittner: [00:02:30] The Washington Post notes signs of Chinese government interest in developing information operations capabilities comparable to those Russia has shown. Recent activities in Taiwan during that island nation's elections are seen as a bellwether and something the U.S. ought to be thinking long and hard about right now.
Dave Bittner: [00:02:50] In another action linked circumstantially but plausibly to China, diplomatic cables from the European Union were successfully intercepted by hackers, as they're being characterized. Area 1, the Redwood City, Calif., based security startup is credited with discovering the intrusion. The hackers, presumably, not only intercepted the cables but read them as well - a reasonable conclusion since New York Times subscribers have now read them as well. Area 1 says the cables were carried by COREU, the European diplomatic correspondent system, which was compromised over a three-year period.
Dave Bittner: [00:03:28] According to reports, Area 1 found the intercepted cables exposed on an unsecured server in the course of investigating a phishing expedition conducted against the government of Cyprus. Area 1 characterized the hackers as elite, which has raised some eyebrows at Computer Business Review and elsewhere. One would imagine sophisticated hackers know better than to leave stuff lying around like that. But still, everyone has lapses in - well, haven't you ever had a bad day?
Dave Bittner: [00:03:58] Anyway, Area 1 told The New York Times that signs clearly point to a unit of China's People's Liberation Army. Area 1 co-founder Blake Darche is quoted in The Times as saying, "after over a decade of experience countering Chinese cyber operations and extensive technical analysis, there is no doubt this campaign is connected to the Chinese government," end quote. The EU has declined comment beyond noting that it takes matters of this kind very seriously, as well it might.
Dave Bittner: [00:04:30] Much of the comment on the incident has been on the contents of the cables, which don't seem particularly surprising. EU diplomats worry about American cowboyism, which they've done since before there was an EU. They're concerned about Iran. Russia's operations in Ukraine bother them, and so on. The Register is among those to note the anodyne character of a lot of the material. Trade missions continue. Did you know Afghanistan is unstable and produces illegal opium? Lots of diplomats agree North Korean nuclear weapons are a bad thing, as one says, and so on. It's not, as The Register observes in its customary, world-weary fashion, Wikileaks Part II.
Dave Bittner: [00:05:12] Comment from other parts of the security industry have been mixed to negative with many calling into question the decision to turn hacked cables over to a newspaper, as well as the newspaper's decision to publish them. The comments have come from a variety of places in the sector, so it would be rash to dismiss them as government stooges.
Dave Bittner: [00:05:33] So Area 1 concludes, on the basis of circumstantial evidence, that the operation was a Chinese one. They may well be right. The sheer indiscriminate appetite for information, regardless of its utility, does seem much in Beijing's style, also in Washington's indiscriminate cowboy style. But other signs point to China. And in fairness, that does seem the likeliest suspect. It's worth noting, again, the ways in which nation states complicate attribution by hiding in the criminal hacktivist and skid noise that so fills the online world.
Dave Bittner: [00:06:08] Recorded Future has noted a trend in state intelligence operations. Dumb down your craft to make a hack look like the work of criminals or hacktivists. This happens linguistically as well. It's worth noting that the Internet Research Agency's performance on Instagram and Twitter show that had it chosen to use them, Moscow had an American English fluency available that never appeared, except, perhaps, by inversion in Shadow Brokerees.
Dave Bittner: [00:06:36] The New York Times has been on other cases as well. The paper reported late yesterday that Facebook gave various big tech partners, including Apple and Amazon, access to some user data, including some messages. Facebook replies that the partnership was benign, that user data wasn't handed over without user consent and that in any case, the more aggressive forms of sharing stopped as Facebook tightened its privacy policies over the past year. But eroding trust in the social medium seems to have made it impossible for the company to avoid another black eye. It's running out of eyes. Facebook's British nemesis, the Department for Digital, Culture, Media and Sport, has requested an explanation.
Dave Bittner: [00:07:20] It may not be as prevalent in the headlines these days, but crooks are still making use of ransomware, targeting individuals and businesses and making them pay up if they ever want to see their files again. Michael Doran is senior security consultant at Optiv. And we checked in with him to see how organizations are preparing themselves for the possibility of a ransomware attack.
Michael Doran: [00:07:43] So there is a variety of avenues that individuals are taking. The first most prevalent one that we're seeing from our standpoint and my team is they're taking the proactive approach into beefing up their security, both from the technology standpoint and from the proactive side, which is where they're training their individual responders and their end users on specific IOCs or indicators of compromise as it relates to ransomware.
Michael Doran: [00:08:15] There are other options, which is starting to make it into the mainstream methodology, if you will, for responding to that. And that is the implementation or the garnering of cryptocurrency as a way to pay off in the event that the ransom does take hold of their environment.
Dave Bittner: [00:08:36] So this is companies having a stash of cryptocurrency on hand so that if they do find themselves hit by this, they're not scrambling around, trying to figure out how they're going to pay the bad guys.
Michael Doran: [00:08:48] That is correct. It's at the ready in the event that something bad happens and they can't afford to have any amount of downtime. So it's a quick fix, if you will. Albeit it's not the best option, but it is options that are starting to make a more prevalent way into mainstream response.
Dave Bittner: [00:09:10] Yeah. I mean, that's an interesting insight because of course, we know that the FBI discourages paying the ransom. But I suppose when it comes down to it, sometimes, that's a practical way to come at this.
Michael Doran: [00:09:21] It is, but it also has a lot of drawbacks to it in that it opens you up to the perception from the outside that you are willing and able to pay a ransom for the attack, which is bad, not only from the standpoint of once you get encrypted and you pay it off, they come back at you again for a higher dollar amount. Also, we're starting to see more and more attacks on environments strictly for the cryptocurrency - not so much for the data that the company holds but because they have stockpiles of cryptocurrency.
Dave Bittner: [00:10:03] Now, are there any special things that companies have to look out for when they're keeping stashes of cryptocurrencies in terms of staying within regulatory frameworks and so forth?
Michael Doran: [00:10:15] That's where the tricky part comes in is that because cryptocurrency is still in its infancy stages, there's not a lot of regulation regarding its use and/or creation through the Bitcoin mining and purchase. However, as it is gaining popularity, you're going to start seeing - if not right now, you're starting to see a little bit of government interaction in the financial sector into regulating its use and what can be done and can't be done with it.
Dave Bittner: [00:10:44] So when you're out there providing advice to the companies that you deal with, what are you saying to them? Is this a multitiered approach? Should - is it protecting from both sides?
Michael Doran: [00:10:56] So what we typically do from our standpoint - Optiv's standpoint - is we take a neutral stance in that we don't advocate paying the ransom at all. We side with the FBI on this. However, if that option is the only available option to the company - they have exercised all available resources and options at their disposal - then that may be an option on the table.
Michael Doran: [00:11:20] However, that option should be discussed in depth internally at the highest ranks before that decision is ultimately made. Where we recommend is taking the money that you would devote to stockpiling the cryptocurrency and invest in your technology stack, in your IR response platform, in your individual end users because from our stance, that's where the initial point comes in. If you can identify it quickly, you can solve it quickly.
Dave Bittner: [00:11:52] What about the importance of having up-to-date and regularly tested backups?
Michael Doran: [00:11:57] It's extremely important because that cuts off - no. one - the time frame to actually get business back up and running as usual, especially with environments in the financial sector and the health care sector, e-commerce business, where if something does plague their environment, it could be the opportunity for, you know, lots of money to be lost in the health care world. If it plagues a hospital, you're talking the loss of human life in the event something happens. So not only making the backups but also regularly testing those is of paramount importance.
Dave Bittner: [00:12:37] That's Michael Doran from Optiv. In the U.S., NASA reports a breach that compromised workforce personal data. A notice sent out by NASA HR to the space agency's personnel says on October 23, 2018, NASA's cybersecurity personnel began investigating a possible compromise of NASA's servers, where personally identifiable information was stored.
Dave Bittner: [00:13:01] After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised," end quote. The story is developing. We'll have updates as necessary.
Dave Bittner: [00:13:18] Finally, for your consideration, a different kind of insider threat - one that involves a rescued parrot and an Amazon Alexa. It seems that one Rocco, an African grey parrot, has become too cozy with the family Alexa. Rocco is something of a recidivist. He was previously ejected from one of the U.K.'s National Animal Welfare Trust sanctuaries because he was cussing too much, and visitors found the swearing more than they could bear. Also, he's thought to have flung his water bowl at passerby.
Dave Bittner: [00:13:52] Anywho, Rocco was removed to the home of Trust employee Marion Wischnewski, where his saucy beak might give less offence. Soon after Rocco's arrival, Ms. Wischnewski noticed that a number of surprising orders to her Amazon account had been queued up through Alexa. Fortunately, she had the proper parental lock established so no orders could actually be placed without her approval.
Dave Bittner: [00:14:16] But Rocco had been telling Alexa to get him, among other things, light bulbs, a kite, watermelon, ice cream, raisins, strawberries, broccoli and a tea kettle. He also asked Alexa to tell him jokes. Which jokes the news coverage doesn't say, but there's a vast genre of parrot jokes out there. So perhaps it was one of those. Rocco also asked Alexa to play music. His requests tended to be, according to Naked Security, sappy dance tunes. So Rocco, if you're listening, tell Alexa to play the CyberWire. And bird, today our closing music is for you - enjoy.
Dave Bittner: [00:14:59] It's time to tell you about our sponsor, privacy.com. If you're a longtime listener, you've probably heard me mention privacy.com on the CyberWire before. In fact, when I was a guest on another cybersecurity podcast, privacy.com was my pick of the week one week for something that everybody should check out. And here's why - Privacy lets you buy things online using virtual card numbers instead of using your real ones. Think about it. You don't use the same password everywhere, so why would you use the same card number everywhere when you shop online? What's great is that it's super-fast and easy to use. Privacy.com gives you a brand new virtual card number for every purchase you make with just one click. And we've got a special offer for CyberWire listeners. New customers will get $5 for a limited time to spend on your first purchase - 5 bucks, free money. So go to privacy.com/cyberwire and sign up now. That's privacy.com/cyberwire. And we thank privacy.com for sponsoring our show.
Dave Bittner: [00:16:07] And I'm pleased to be joined once again by Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, it's great to have you back. An interesting story came by on WIRED, and this was about the Signal app, which is a well-known encrypted messaging app. And they're sort of upping their game here with some new protections to make it even more safe. Can you give us - what's some of the background here? What have they been doing, and how have they made it better?
Jonathan Katz: [00:16:33] As you know, because it was in the news a couple years ago, encryption typically is used to hide only the messages that are sent from one party to another. But it doesn't usually hide anything about the so-called metadata, which is information, in particular, about who the sender is and who the receiver is and the fact that these two are talking to each other. And Signal recognized that, and their software until now was like regular encryption - only hid the messages and didn't hide any of this metadata.
Jonathan Katz: [00:17:02] And now they're improving their protocol to also hide information about who's sending the message. So this means that when somebody - person A sends a message to another person, person B, the identity of person A will not be stored by Signal. And it won't even necessarily be visible from the communication packets themselves.
Dave Bittner: [00:17:23] Now, the article points out that, perhaps, this could open up some vulnerabilities as well, that I guess there's less handshaking going on here - verification of the data path.
Jonathan Katz: [00:17:34] Yeah. There are a couple of interesting features here that they needed to address. So for one thing - you know, you think about the sender and receiver communicating with each other. And typically, the receiver would like to know who they're communicating with. And so hiding the identity of the sender seems like a bad idea from that point of view.
Jonathan Katz: [00:17:50] There's also cases where Signal itself is using information about the sender in order to prevent abuse or to prevent the sender from sending too many messages in too short of a timespan, like to prevent spam or something like that. But they've designed things so that they can deal with some of these issues. And in particular, the first one about letting the receiver know the sender's identity without revealing that information to Signal - they've dealt with that by basically adding a second layer of encryption to encrypt the sender information so that only the receiver can then see it on the other end.
Dave Bittner: [00:18:22] So it's encryption all the way down.
Jonathan Katz: [00:18:24] Right, right.
Dave Bittner: [00:18:24] (Laughter).
Jonathan Katz: [00:18:24] And it's pretty interesting, too, because I think Signal - you know, they're demonstrating that they're really taking great care with security. They have some excellent people working on the security of their system, and they're really thinking ahead kind of proactively, keeping one or two steps ahead of an attacker here. And so I think it's really to their credit that they're thinking about this and that they've come up with a protocol to address it.
Dave Bittner: [00:18:47] So Jonathan Katz, thanks for joining us.
Jonathan Katz: [00:18:49] Thank you.
Dave Bittner: [00:18:57] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:19:25] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.