Dave Bittner: [00:00:03:18] An arrest has been made in the German doxing case. The US begins a campaign to heighten businesses' awareness of cyber espionage. Observers see a coming cyber cold war, with China on one side and a large number of other countries on the other. Facebook is following a widening investigation into the use of inauthentic accounts, ads and sites, in recent US elections. And WikiLeaks' lawyers tell news media to stop defaming the organization and its founder.
Dave Bittner: [00:00:38:18] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. As your organization continues to expand outside the data center to the cloud, branch office and device edge, your attack surface opens up to more and more risk. With major breaches announced nearly every day, security operations teams need a better way to identify vulnerabilities and hunt threats inside the perimeter. ExtraHop cuts through the noise of traditional security alerts with network traffic analysis that provides full east-west visibility, real-time threat detection from core to cloud, and guided investigation workflows. All the clarity and context you need to act quickly and with confidence. Don't just take our word for it, explore the interactive demo at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:41:20] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, January 8th, 2019.
Dave Bittner: [00:01:50:17] The BKA, the German federal criminal police, have made an arrest in the doxing case. They pulled in a 20 year old man, a student in Hessen. The suspect has not been named publicly, presumably because of his relatively tender years and German privacy laws. He had no previous criminal record and was living with his parents. He told police that his motivation was anger and disaffection with politics generally.
Dave Bittner: [00:02:18:02] The Frankfurter Allgemeine says that one of the suspect's acquaintances, a 19 year old from Heilbronn, who works in IT, is being questioned as a witness, but is not himself a suspect. The student who's been arrested says he worked alone, and the authorities appear to think that's correct.
Dave Bittner: [00:02:36:21] A more extensive report will be out from the Justice Ministry later this week, but it's worth reviewing some of what's known about the case. First, a great deal of material was collected and leaked, for the most part through a now-suspended Twitter account belonging to someone who went by the nickname "G0d", with the middle character a coy zero as opposed to an honest O. Second, the material wasn't particularly discreditable or scabrous. It was anodyne, things like rental car agreements. Third, it affected all political parties except one far right group, the AfD, or the Alternative for Germany. And fourth, speculation about attributions centered on two theories: it was generally believed that the long-running doxing was the work of either the Alternative for Germany or, naturally, the Russians.
Dave Bittner: [00:03:26:23] The AfD's apparent immunity to doxing struck people as fishy, and a bet on Russian mischief is usually a safe one. Unlike, say, our Baltimore Ravens, Moscow almost always covers the point spread. But in this case, no, it was an apparently solitary and alienated student. The lesson, again, is that attribution is a dicey business.
Dave Bittner: [00:03:50:22] The BKA says the student made a full confession, said he acted alone because he was annoyed by his victims' public statements and wished to expose them. The police also say there was no apparent political motive, except of course insofar as annoyance with public figures counts as a political motive.
Dave Bittner: [00:04:11:02] Concerns about Chinese cyber espionage persist, and even spread, with some observers thinking that Beijing may be badly overplaying its hand, particularly with respect to its detention of Canadian citizens in apparent and obvious retaliation for the arrest in Vancouver of Huawei's CFO.
Dave Bittner: [00:04:30:05] The US government, with the NCSC in the lead, yesterday warned companies of all sizes about the threat of cyber espionage. NCSC is undertaking a public education and awareness campaign to recommend best practices for self-protection. Chinese espionage is the principal concern, but such best practices would be broadly applicable to a range of threats.
Dave Bittner: [00:04:54:17] NIST recently finalized their updated password recommendations. NIST 800-63B password guidance, and there are several notable changes in their recommendations from previous versions. Robb Reck is Chief Information Security Officer at Ping Identity. He joins us to review what's new.
Robb Reck: [00:05:14:08] In June of 2017, NIST released new password guidance, and this password guidance took the place of the old guidance that we're all familiar with, which is the eight characters, upper and lower case with a number and a special character as a part of it, and really has a more holistic or programmatic way of looking at password requirements. So there's a lot of different details, including different levels of assurance that you need to look at, but I think it really boils down to a few key changes that I can summarize.
Robb Reck: [00:05:43:11] Number one, they do have a minimum password length of eight characters, which is not a change, although they say they do now enforce that you need to have a longer maximum. So that's one of the challenges you'll see in a lot of implementation of passwords is that they'll have a maximum password length, you know, sometimes as low as eight as well, or, you know, maybe 20 characters. And they're saying your maximum has to be at least 64 characters, and of course it's better if you can have a higher maximum than that.
Robb Reck: [00:06:10:09] They specifically say all printable characters should be allowed, including spaces. This of course enables people to do things like have passphrases instead of having just a normal password. And then a big change is they get rid of the complexity requirements. They're no longer saying you have to have a number, you have to have a special character as a part of it. And they're also getting rid of the requirement around having a schedule based password expiration. So we're all familiar with this expectation that your password expires every 90 days or so.
Robb Reck: [00:06:38:13] So how do they do this, right? It sounds awfully dangerous. Well, the way they do it is they now are requiring that every password that you consider using gets compared against a database of known bad passwords. So you may be familiar with Troy Hunt's Have I Been Pwned database.
Dave Bittner: [00:06:55:00] Yeah, sure.
Robb Reck: [00:06:55:19] A good example of one of those, every password, as it's being set or used, should be compared against that database to see is it known to be bad out in the wild? So that helps mitigate some of that risk. You know, as you start thinking about all those easy passwords someone could use if there's no complexity, well, all those passwords are already gonna be a known breached password.
Robb Reck: [00:07:14:14] They also require that MFA is a requirement for any sensitive password at least, and they have removed SMS as an acceptable two factor to use as your MFA.
Robb Reck: [00:07:24:16] So between the known breached list of passwords and MFA, they believe they're getting pretty good security.
Dave Bittner: [00:07:29:20] For the folks who fall under this, the folks who are actually out there on the ground, who have to use this, what are the practical implications?
Robb Reck: [00:07:37:04] Yeah, I'd say, number one, it is a lot better usability for your users, you know, they don't have to change and learn a brand new password every eight months, as long as they haven't been breached. But it isn't super easy to implement, you know, we don't have yet like Active Directory, it doesn't have a really easy way for you to do this on premise. Microsoft has been working on it in their Azure AD, and companies like Ping have found ways to implement this with R Solutions, but if you're just trying to do it on your normal on premise system, it's not a plug-and-play setting to turn on in your AD. So you have to think about things like where do you put this? If you can do it in the directory itself, that's good, but if you don't have a directory that supports it, you need to do in line, maybe through a password changing website, or maybe if you have single sign on through the place where you're signing in, you can implement that password check, so you're seeing is this a breached password? Is this a known good password?
Robb Reck: [00:08:32:14] So, while it's not too bad to check passwords while they're sitting in the directory itself, it might be easier for you to check it as they're signing in, so you're getting that password in clear text and you're not having to compare a hash. You actually get the real password itself that you can hash on your own, because one of the elements you have trouble with is, if you're salting your passwords, and you definitely should be salting your passwords, you can't necessarily tell from the hash what password it is you're looking at.
Dave Bittner: [00:08:58:04] Now these are guidelines from NIST, so what is the authority behind these? Is it up to individual agencies to say, "Yes, we're going to adopt these," and so these are the rules here from now on?
Robb Reck: [00:09:10:12] Yeah, so the expectation is over time this is gonna become the de facto password standard for the industry. NIST is the one who created the original standard, and, if you look, the vast majority of our corporate security policies and standards out there have adopted NIST's guidance to do it. And as a vendor myself, running security as a vendor, I have a lot of customers who are expecting me to stay up to date with what are the industry best practice for passwords. And we expect, over the next two to five years, to start seeing a lot more companies moving toward this. I think in the federal government it is gonna start to be an expectation as enforcement happens, as the agencies start to update their policies and standards.
Dave Bittner: [00:09:50:21] That's Robb Reck from Ping Identity.
Dave Bittner: [00:09:56:15] The Czech Republic has ordered an investigation of security risks it thinks Huawei and ZTE devices might pose, and is considering a ban. Australia's government has taken a line as stiff as its Five Eyes sisters, especially the American ones, on further incursions of Huawei into the country's infrastructure. The Australian Broadcasting Corporation reports that there's growing grassroots concern about the Huawei-built pre-5G cell boxes people see around Sydney.
Dave Bittner: [00:10:27:07] Japan has effectively banned government purchases of Chinese telecom equipment from this year going forward. The concerns, of course, involve security, and Huawei is currently holding talks with Japanese authorities to negotiate some relaxation of that ban. The company is said to be offering to buy more Japanese-made components in the hope that this will help allay security concerns.
Dave Bittner: [00:10:51:17] Most of the talk about the espionage concerns surrounding Chinese equipment manufacturers has been about Huawei, with ZTE a respectable second. It's unlikely that these worries will be confined to just those two companies. A Bloomberg op-ed thinks more manufacturers are likely to receive hostile international scrutiny, with Lenovo mentioned as the company most likely to be next in the barrel.
Dave Bittner: [00:11:16:00] A cyber cold war, complete with spheres of influence, is widely predicted.
Dave Bittner: [00:11:22:16] Facebook's investigation into democratic inauthentic election influence operations widens. Operation Birmingham, said to have been funded by wealthy party donor and LinkedIn billionaire, Reid Hoffman, appears to have worked to influence the Alabama 2016 special senatorial election in favor of the eventual narrow winner, Senator Doug Jones.
Dave Bittner: [00:11:45:10] There were also apparently unsuccessful operations against the 2018 campaigns of senators Blackburn of Tennessee and Cruz of Texas.
Dave Bittner: [00:11:54:14] Facebook is looking into what may be systematic use of inauthentic news feeds, ads and sites. Senator Jones has called for an investigation. Mr. Hoffman has said he's embarrassed, and should have paid closer attention to what was going on. The tactics employed, as described by the Washington Post, show close attention to lessons learned from the Internet Research Agency, the notorious St. Petersburg troll farm.
Dave Bittner: [00:12:21:01] Finally, WikiLeaks circulated a confidential legal memo to several news outlets outlining 140 false and defamatory things they should stop saying about WikiLeaks and Julian Assange. The communiqué was probably prompted by reporting in the Guardian, where stories about Mr. Assange's alleged meetings with then-candidate Donald Trump's campaign operatives are being strongly denied by WikiLeaks.
Dave Bittner: [00:12:47:12] The confidential legal memo, foreseeably leaked as soon as received, may be read full and unredacted at Ars Technica and elsewhere. The Times of London is among those papers sniffing at the irony of WikiLeaks pleading privacy and confidentiality, but in fairness to the House of Leaks, we must say that, having read their memo, it really is protesting inaccuracy, not intrusiveness.
Dave Bittner: [00:13:12:20] Among the misapprehensions WikiLeaks' lawyers are particularly concerned to correct are the following: that Mr. Assange is a paid Russian agent, that WikiLeaks has members like al Qaeda, as opposed to employees like the ones any legitimate media outlet would have, and that Mr. Assange not only hates the United States, but also bleaches his hair and neglects his cat. So nota bene, Mr. and Mrs. United States: Mr. Assange loves you, wears his own unredacted hair, and is good to his cat.
Dave Bittner: [00:13:51:02] Now a moment to tell you about our sponsor, Attila Security. Attacks on the US Defense Industrial Base supply chain, otherwise known as DIBS, is one of the most pervasive cyber threats facing our nation today. DIBS are vulnerable for a variety of reasons ranging from legacy software and systems, and a corporate culture that values operations over IT security. Cyber criminals exploit these weaknesses and target their attacks on DIBS in order to gain access to government networks. Attila Security is tackling this threat head on. Attila Security's Go Silent technology features a portable security appliance that installs in minutes by any non-technical user. Go Silent is a firewall and VPN in one, and turns unsecured data transmissions into top secret level security communications in just minutes.
Dave Bittner: [00:14:44:01] Attila Security's products and solutions enable organizations to keep data secure while avoiding disruptions to daily operations. To learn more about how Attila secures the DIB supply chain, visit attilasec.com, that's spelled A-T-T-I-L-A-S-E-C.com. And we thank Attila for sponsoring our show.
Dave Bittner: [00:15:15:16] And joining me one again is Emily Wilson, she's the Fraud Intelligence Manager at Terbium Labs. Emily, it's good to have you back. You all recently posted some information about credit card fraud, sort of centering around what you describe as the nine lives of a credit card. That's interesting to me, take us through what we're talking about here.
Emily Wilson: [00:15:34:04] You know, I've talked before with you and with the listeners about fullz, F-U-L-L-Z, these are full identity kids, or full identity packs, and those usually include something like payment card information, so a card number, expiration date, CVV code, the security code on the back. It might also include helpful account information, so in addition to the card information and card holder details you might get mother's maiden name or answers to security questions. And, as I'm sure you can imagine, these are very appealing to fraudsters, who like to exploit all that data.
Dave Bittner: [00:16:07:22] Right, it's sort of a premium package for sale. A fullz.
Emily Wilson: [00:16:12:00] A fullz, it's everything you need to get the job done. And so what's interesting is that the core of that is that credit card information, because it's the thing that you can cash out most easily. Well, getting back to the spooky dark web times, we've recently seen some listings across markets for what are called dead fullz, and these are not what you might expect at first glance, which is a fullz for a deceased person. We're not going to get quite that macabre this early in the season. But instead they are fullz where the vendor is actively saying, "Hey, this credit card doesn't work anymore, but if you still want these identities, have at it."
Dave Bittner: [00:16:50:02] Hm, so it's like the day old bread of fullz. So what is the appeal? If the credit card doesn't work anymore, what's in there that they still find valuable?
Emily Wilson: [00:17:01:01] A lot of things. We think about when a payment card is compromised, you know, there's a sense that if you turn that card off, then everything is taken care of. But depending on what other data is compromised, there's a lot more at play. And when we're talking about identity data, you can't really turn that off the way you turn off a payment card. So yes it's unfortunate you can no longer exploit this particular payment card account, but guess what, you still have names and contact information, and mother's maiden name, and security question answers, which it's easy to remember where you went to high school, so I'm sure you use that on every site. And you can do a lot with that, and you can do a lot with that for a very long time.
Dave Bittner: [00:17:43:07] So from a consumer's point of view, what's the situation here? I mean, if my credit card's been compromised, or somehow I get a report that my credit card's been up for sale on the dark web, and I get that card changed, I might not necessarily be out of the woods?
Emily Wilson: [00:17:59:10] That's right, and that gets to the idea of this nine lives of a credit card, right? Because one compromise, even if that compromise is centered around a credit card, that may not be the end of it. Just because the card is dead doesn't mean the fraud's over. And this gets to the broader conversation that we're having in the industry at this point, and I'm glad we're getting there, which is what do we do? What do we as vendors, what do we as consumers do in an industry, or in a world, where everything is compromised or will be very soon? You know, how do you fight the battle against identity theft when your information is out there ten times over? And I think this is a problem we're going to see more of, and I think this is an example where the first thing the fraudsters wanna go after is the payment card, because it's easy, you cash it out and you go away. But they're willing to put some effort in, and it's going to be very difficult for consumers to match that.
Dave Bittner: [00:18:53:08] It is a whole other range of folks who are out there willing to play a longer game.
Emily Wilson: [00:18:58:18] Mm-hm.
Dave Bittner: [00:18:59:07] Yeah, all right, well, Emily Wilson, thanks for joining us.
Dave Bittner: [00:19:07:08] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:20:01] The CyberWire Podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor, Jennifer Eiben, technical editor, Chris Russell, executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.