The CyberWire Daily Podcast 1.10.19
Ep 757 | 1.10.19

TA505’s new tools. ISIS turns to emerging chat apps. Reddit asks for password resets. The EU’s right to be forgotten gets some court-imposed limits. The tweets Kaspersky flagged to NSA.

Transcript

Dave Bittner: [00:00:03] Proofpoint researchers track the latest developments from the unusually diligent cyber criminals TA505. ISIS turns to newer, less closely monitored and moderated apps as it's pushed out of larger social networks. Reddit asks users to reset their passwords and to make them good ones. Google seems to have made strides against expansive interpretation of the EU's right to be forgotten - and the curious tweets of @HAL999999999.

Dave Bittner: [00:00:40] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. As your organization continues to expand outside the data center to the cloud, branch office and device edge, your attack surface opens up to more and more risk. With major breaches announced nearly every day, security operations teams need a better way to identify vulnerabilities and hunt threats inside the perimeter. ExtraHop cuts through the noise of traditional security alerts with network traffic analysis that provides full east-west visibility, real-time threat detection from core to cloud and guided investigation workflows - all the clarity and context you need to act quickly and with confidence. Don't just take our word for it. Explore the interactive demo at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.

Dave Bittner: [00:01:43] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 10, 2019. Researchers at security firm Proofpoint have described two hitherto undocumented strains of malware - ServHelper, a backdoor, and FlawedGrace, a remote access Trojan now being used in the wild by threat actor TA505. Proofpoint's been tracking TA505 since 2017. It's a criminal gang connected with banking Trojans, ransomware and other forms of cybercrime. The targets against which these malware tools are being used are banks, retail establishments and restaurants. ServHelper is being distributed in phishing campaigns, typically carried by a malicious Word file or PDF attached to phishing emails. ServHelper is then used to install the FlawedGrace rat. And from there, the theft proceeds. The one-two punch of ServHelper and FlawedGrace is likely to be with us for some time, unfortunately. Proofpoint thinks they represent a long-term investment on the part of TA505 and that the group has shown patience, focus and persistence in the past.

Dave Bittner: [00:02:58] ISIS has, for some time, received attention from content moderators on Facebook, Twitter, Telegram and YouTube, all of which have been interested in pushing the terrorist group off their platforms. Those efforts have certainly been halting and incomplete and frequently criticized by observers who found the moderation insufficient, inconsistent or even insupportable. But they have had a cumulative effect on ISIS. The group has depended on the internet for inspiration, much as the Ayatollah Khomeini depended on distribution of cassette tapes of his sermons to influence opinion in the Shah's Iran before the Islamic Revolution.

Dave Bittner: [00:03:36] Wired has an account of how ISIS is turning from large social networks to more accessible, less easily moderated chat apps. The group's Amaq News Agency has recently found that some newer messenger applications are proving more suitable for their purposes - chat groups, channels and media sharing apps, some open source, many designed for business gaming purposes. Some of these include Rocket.Chat, Viber and Yahoo Together. As they've noticed ISIS promoting their use, several of the applications are seeking to block the group's adherence and followers from establishing a presence there but with mixed results.

Dave Bittner: [00:04:15] Among the more interesting developments has been ISIS' use of gaming channels for inspiration. Discord in particular is said to be drawing a fair amount of ISIS activity. Wired calls for all of these channels to take quick action against the burgeoning jihadist presence. But it's not clear how such action could be taken in an unproblematic way. Consider gaming channels. How clearly would ISIS content stand out from the ordinary, disinhibited chatter of online gaming?

Dave Bittner: [00:04:45] The seemingly endless string of data breaches and privacy violations by service providers large and small has led to a growing call for meaningful privacy and data protection legislation here in the U.S. Ameesh Divatia is CEO and co-founder of Baffle, a company focused on data encryption and key management. And he offers his views on the growing frustration with how companies handle our private information.

Ameesh Divatia: [00:05:11] Data collection is a given these days. No matter what we do, data will be collected. Obviously, a lot of the tech companies base their entire business models on the fact that they collect data. And they have to profit from it, otherwise they would have to charge for their services. But just because they have data does not mean that they can misappropriate it. And I think that's where regulation really comes in, that we have to make sure that the regulation will make sure that these companies and any entity - it doesn't even have to be a company. Even the government is responsible for losing data. So any entity that collects data has to process it responsibly.

Dave Bittner: [00:05:46] And so how do you propose that that can be done?

Ameesh Divatia: [00:05:50] I think it is a dialogue. I think regulations like GDPR forced the creation of what is known as a DPO, a data protection officer. So data protection officer has to be a key voice in that dialogue. And again, it is a good mix. It is a balance that they have to strive between business needs and the fact that it is somebody else's data that they are processing. So we come up with ways of actually protecting data. One of the important things that the industry is gravitating towards is that the data has to be protected as soon as it's collected. But then the difficult part comes in, which is, how do you figure out a way to process that data without actually revealing the underlying records themselves? GDPR certainly has set the stage, but then over the course of last year, we've had many other regulations that have come in and followed through with that. The California Consumer Privacy Act. Even overseas, countries like Singapore have the Personal Data Protection Act. And all of them are starting to focus on the fact that you have to make sure that the records themselves are protected. They don't necessarily get into the technology and say, this is how you shall protect it. They just say you have to protect the data because if you lose it then you'll be fined.

Dave Bittner: [00:07:09] And do you suppose that those fines are going to have the intended effect, or might we be in for some unintended consequences?

Ameesh Divatia: [00:07:17] Well, we'll see how it works out. I think that decisions are eventually going to be decided by the courts because we already have started seeing some of these lawsuits being filed in connection with GDPR, or now, actually - thanks to regulation in this country - by U.S. entities, as well. The Marriott breach, which is monumental, 500 million records, is a great case in point of how breaches continue to happen. Breaches continue to happen in spite of all the money that's being spent on cybersecurity. So clearly, we are not anticipating these threats well. One of the running jokes we have is one of the reasons why these breaches are not being detected, it's because we have this "Mission: Impossible" threat model that we are working with where we're assuming that the way threats happen and attacks happen is when Tom Cruise drops from the ceiling of the data center and steals disks.

Dave Bittner: [00:08:15] (Laughter).

Ameesh Divatia: [00:08:16] Well, it doesn't happen like that. There's much, much easier ways to steal data. And that's exactly what happened in the case of Marriott, where they stole the data while being privileged users or database administrators, if you will. They were pretending to be administrators, stole the data and encrypted the data on their way out so it couldn't be detected. Many, many details will still emerge. But the early indications seem to be that they did do what was required by compliance, which is protecting data at rest. But it wasn't adequate. So clearly, encryption and protection mechanisms need to continue to evolve to make sure that the threats are mitigated.

Dave Bittner: [00:08:53] Yeah. It's interesting to me. I mean, it strikes me that every company says, your privacy is important to us. But I think we've reached the point where when you hear a company say that, there's a tendency to kind of roll your eyes and say, yeah, but in the meantime, you know, here's everything you're doing with my data. Do you think there's a competitive advantage to be had here from companies who actually, you know, walk the walk, talk the talk?

Ameesh Divatia: [00:09:19] Absolutely, there is. So security's traditionally always been an afterthought. It's always been something that's a necessary evil in order to get through compliance or get to audit. I think this year, 2018, has really been the year at which it starts to become more of a competitive advantage. If you, as the data collector, is able to store the data responsibly and then actually be able to process the data so that you're never actually exposing the data in the clear, that is the winning formula. And that's what will set these companies apart.

Ameesh Divatia: [00:09:57] Notification requirements, like we were talking about in our last podcast, are absolutely all over the place now. Every state has one. Which means that if you lose data in the clear, you have to disclose it. And that is a huge damage to reputation of these companies because they're all consumer-facing, and they have to make sure that customers feel good about doing business with them. So it is going to become a competitive advantage. And I think that's where the companies will take it seriously because their investment now is really about enhancing their business more than just a necessary evil to avoid hackers getting in.

Dave Bittner: [00:10:35] That's Ameesh Divatia from Baffle.

Dave Bittner: [00:10:41] If you're a Reddit user and have recently found your account inaccessible, the service is in the process of restoring access, user by user. Reddit has locked down a large number of accounts over security suspicions aroused by unusual activity in those accounts consistent with the presence of unauthorized users. As users reset their credentials, Reddit is advising them to choose complicated, non-obvious passwords and, above all, not to recycle passwords used in other accounts.

Dave Bittner: [00:11:12] GDPR has had a worldwide impact, but a recent advisory opinion rendered to the European Court of Justice - the EU's high court, based in Luxembourg - may have imposed some limits on the application of the right to be forgotten, in particular. The opinion is nonbinding but significant, and is being regarded as a win for Google, which has been fighting an attempt by French authorities to get the search engine provider to apply the right to be forgotten everywhere.

Dave Bittner: [00:11:40] The basis for the advocate general's opinion is concern about reciprocal efforts such enforcement might have. The advocate general warned that ordering removal of content from sites accessed outside the European Union would, in all likelihood, provoke retaliation by other jurisdictions, who would block information from being accessed from within the EU. As he put it, there's a real risk of reducing freedom of expression to the lowest common denominator across Europe and the world.

Dave Bittner: [00:12:10] And finally, reflections on how NSA came to learn about the possibility that it had a pack rat at Fort Meade continues to take an interesting turn. Redacted court documents released in the Hal Martin case suggested to many that Mr. Martin had been in touch with the Shadow Brokers and perhaps had been the source of the tools the Brokers leaked. One of the tweets mentioned material that had a shelf life of three weeks. But the shelf-life-three-weeks tweets, said to have aroused such suspicion at NSA in 2016, were apparently turned over to NSA by Kaspersky, according to anonymous sources, not authorized to discuss what they know, who spoke to POLITICO this week.

Dave Bittner: [00:12:52] The tweet was addressed to Yevgeny, presumably Eugene Kaspersky himself, by @HAL999999999, as Ars Technica reports. Thus, it was Kaspersky, The Washington Post notes, and not U.S. counterintelligence officers who first twigged to the possibility that someone may have been getting ready to leak classified information. And that warning is being connected to Harold Martin's arrest.

Dave Bittner: [00:13:18] Two points are worth making. First, Mr. Martin, who's entitled to the presumption of innocence, is charged with mishandling and unlawful retention of classified material - not with passing it to anyone. So the Shadow Brokers' leaks that soon followed the tweets may be coincidental, if one believes in such things. Second, as interesting as we find reading and writing about this developing story, the fact that anonymous sources not authorized to speak are speaking as much as they are suggests that U.S. federal insider threat programs remain more loosey-goosey than the intelligence community would probably hope. Sure, it's interesting. But if the feds are this leaky, what hope is there for the average small business contractor trying to control its insider threat exposure?

Dave Bittner: [00:14:05] By the way, how do we know that @HAL999999999 is, in fact, even a person? Couldn't it be some malign AI? It's not exactly the HAL 9000 that Stanley Kubrick and Clarke tried to warn us against in "2001: A Space Odyssey" - too many nines for one thing, but maybe an offspring or a cousin. We've heard about this AI stuff. Think "2001" was just fiction? Head in the sand, sheeple - head in the sand. We're just kidding, of course.

(SOUNDBITE OF FILM, "2001: A SPACE ODYSSEY")

Douglas Rain: [00:14:37] (As HAL 9000) I'm sorry, Dave. I'm afraid I can't do that.

Dave Bittner: [00:14:46] Now a moment to tell you about our sponsor, Attila Security. Attacks on the U.S. defense industrial base supply chain, otherwise known as DIBS, is one of the most pervasive cyberthreats facing our nation today. DIBS are vulnerable for a variety of reasons, ranging from legacy software and systems and a corporate culture that values operations over IT security. Cybercriminals exploit these weaknesses and target their attacks on DIBS in order to gain access to government networks. Attila Security is tackling this threat head on.

Dave Bittner: [00:15:19] Attila Security's GoSilent technology features a portable security appliance that installs in minutes by any non-technical user. GoSilent is a firewall and VPN in one and turns unsecured data transmissions into top-secret level security communications in just minutes. Attila Security's products and solutions enable organizations to keep data secure while avoiding disruptions to daily operations. To learn more about how Attila secures the DIB supply chain, visit attilasec.com. That's spelled attilasec.com. And we thank Attila for sponsoring our show.

Dave Bittner: [00:16:10] And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland and also director of the Maryland Cybersecurity Center. Jonathan, good to have you back. We had a story come by from WIRED, and this was about the next generation of Wi-Fi security upping their game and increasing security there with better encryption and so on. Can you give us an overview? What's going on here?

Jonathan Katz: [00:16:33] Yeah, this is a new standard - the WPA3 standard that's been coming out to protect, as you said, the wireless communication. And it has a number of interesting features, actually, and upgrades to the previous security that was being offered by WPA2. And in particular, one of the things it addresses is the fact that many people might be using a very weak password to protect their wireless communications. And they built in protection here to kind of mitigate against that sort of thing.

Dave Bittner: [00:17:00] And how can they do something like that? What's going on under the hood?

Jonathan Katz: [00:17:04] Well, right now, in the WPA2 standard, the password is sent in such a way or used in such a way that an attacker can record the conversation between a user and the base station, record all the messages that were sent back and forth and then go offline and try to apply what's known as an offline dictionary attack - basically trying thousands of different potential common passwords until it finds the right one. And the point is that those kind of offline dictionary attacks are much more easy for an attacker to carry out than an online attack where they have to sit there and actively interact with your network. So the new WPA3 standard actually prevents this offline dictionary attack, which means that even if you're using a weak password, the attacker won't be able to go offline and figure it out.

Dave Bittner: [00:17:51] And so by default, WPA3 is going to have encryption active from the get-go?

Jonathan Katz: [00:17:58] Yeah. So, I mean, WPA2 also offers encryption, but I guess the point is here that it's an extra layer of protection for users that don't choose strong passwords. Now - and by the way, that's not to say that you shouldn't choose a strong password. Obviously a strong password is going to be better than a weak one. But here, they're offering some additional layer of protection even for people who choose weak passwords.

Dave Bittner: [00:18:17] Yeah, kind of protecting people from themselves (laughter).

Jonathan Katz: [00:18:19] Yeah, that's exactly right. That's exactly how they're selling it (laughter).

Dave Bittner: [00:18:22] Yeah. All right, it's interesting. Well, I have to see how it spreads and how quickly this actually makes it out into devices.

Jonathan Katz: [00:18:30] Yeah, we'll have to see, actually, how quickly manufacturers are going to install this new standard in their devices to allow users to go ahead and upgrade.

Dave Bittner: [00:18:37] Yeah. Jonathan Katz, thanks for joining us.

Jonathan Katz: [00:18:39] Thank you.

Dave Bittner: [00:18:44] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor. Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.