Polish espionage case. Ryuk tactics, and some thoughts on its attribution. Access-control system zero-days. Lawsuit may bring clarity to cyber insurance war exclusion clauses.
Dave Bittner: [00:00:03] Huawei fires the sales manager arrested for espionage in Poland and says that if he was spying, he was freelancing. Ryuk ransomware now looks more like a criminal than a state-sponsored operation, and its big-game hunting has pulled in almost $4 million since August. Access control system zero-days have been found, and a lawsuit is likely to set some precedents concerning what counts as cyberwar.
Dave Bittner: [00:00:35] I'd like to take a moment to thank our sponsor Georgetown University. Georgetown offers a part-time masters in cybersecurity risk management that prepares you to navigate today's complex cyberthreats. Ideal for working professionals, the program features flexible options to earn your degree without interrupting your career. Take classes online, on campus or through a combination of both. You decide. Not ready to commit to a full master's program? Explore accelerated options through Georgetown's cybersecurity certificates, which you can complete in as little as six months. To learn more about these programs, you're invited to attend an upcoming webinar on Tuesday, January 29, at noon Eastern time. Visit scs.georgetown.edu/cyberwire to RSVP. That's scs.georgetown.edu/cyberwire, and we thank Georgetown University for sponsoring our show.
Dave Bittner: [00:01:35] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 14, 2019. Suspicion that Huawei serves as a reliable partner of China's intelligence services seems likely to grow, The Washington Post notes. In addition to all Five Eyes, Japan, Poland, Norway and the Czech Republic have all recently expressed varying degrees of official skepticism about the hardware manufacturer's reliability as a partner. Other Chinese manufacturers, notably ZTE, are also coming in for their share of suspicion, but Huawei is first among equals when it comes to security worries.
Dave Bittner: [00:02:15] The recent arrests in Poland are the latest events to provoke concerns about Huawei in particular. Huawei has fired Wang Weijing, the manager who was arrested on espionage charges. The company denied involvement in the alleged espionage and said that the arrest and Wang's alleged actions served only to bring the company into disrepute. This is a very different response from the one on display concerning the arrest last month of the company's CFO Meng Wanzhou in Vancouver. Huawei had been supportive of Ms. Meng, but they worked quickly to toss Wang overboard.
Dave Bittner: [00:02:52] In fairness to Huawei, the company's claims of not being involved were lent some credence by official Polish sources, who spoke over the weekend about the espionage appearing to have represented individual effort and initiative as opposed to corporate policy. The AP says the Polish national arrested alongside a Huawei executive had formerly held senior cybersecurity posts in three Polish agencies - the interior ministry, the Office of Electronic Communications, which is a telecommunications regulatory body, and International Security Agency, a counterintelligence organization. The suspect identified only as Piotr D was, at the time of his arrest, working for the telecommunications company Orange, an outfit that had been partnering with Huawei in the 5G rollout. Both Mr. Wang and Piotr D have asserted their innocence and declined to provide testimony.
Dave Bittner: [00:03:48] Similarities between code used by Ryuk ransomware and the Lazarus Group's Hermes tool led to tentative suspicion that North Korean state-directed actors, like the Lazarus Group, might have been behind Ryuk as well. But states and hoods sell and buy in the same black market, so code sharing is not particularly surprising, nor does it amount to more, usually, than modest circumstantial evidence. ZDNet says the growing consensus among cybersecurity firms is now that Ryuk is run by Russian-organized criminal gangs. Ryuk, recently famous for having disrupted newspaper printing in the U.S., has been an interesting case. The criminals behind it are believed to have pulled in some $3.7 million in bitcoin payments since August. FireEye and CrowdStrike have tracked some 52 payments over that period. The ransomware has been distributed to a significant extent by TrickBot. But unlike the indiscriminate and opportunistic pattern common in other ransomware attacks, Ryuk engages in what CrowdStrike calls big-game hunting. It will lie dormant until it finds a target it can hurt badly enough to prompt a big payoff.
Dave Bittner: [00:04:57] There's a growing call in the U.S. for meaningful privacy regulation and reform as frustration builds over data breaches and misuse of personal information. Vijaya Kaza is chief development officer at Lookout. And she maintains that companies who take privacy seriously could find themselves with a competitive advantage.
Vijaya Kaza: [00:05:18] Privacy is becoming increasingly important for consumers. Obviously from an organization's perspective, where we are today is it is a program-driven approach relegated to compliance teams and in response to, typically, new laws or regulations, right? As a result of that, product teams are reluctantly, basically, doing the minimum they need to do to check the box and avoid any fines or penalties. So that basically changes privacy to just a loss-avoidance type of approach as opposed to really thinking about, what can privacy do for us, and how do we turn this into a strength and really take care of customer concerns and use it as a differentiator?
Dave Bittner: [00:06:07] Yeah, so let's dig into that some. How can privacy be a competitive advantage?
Vijaya Kaza: [00:06:12] Yeah. As I was saying, you know, if you are trying to be in this mode of loss avoidance, obviously, the fines and penalties and damage to brand reputation are the only ones that you are thinking about, right? Vendors often really compete on features and capabilities. But they don't pay as much attention to privacy because, again, it is a compliance check box. But if you flip it on its head and really lead with privacy first, it can help build a moat for your product and differentiate your product because it now becomes a mainstream capability or functionality that your product can offer and therefore, differentiate yourself from competition. In fact, by doing this, it goes beyond loss avoidance and really getting to, what can it do for business for bringing additional revenues and additional top-line and bottom-line benefits?
Vijaya Kaza: [00:07:08] And there are many studies that have been done on this. Recently, Cisco did a study, a privacy benchmark study. And that study and others have shown that addressing privacy the right way reduces the length of sales cycle by eliminating any kind of customer objections that you get and also help you bring deals, right? Especially in privacy-sensitive industries like health care, financial services and government, that can be huge. We often see that customers have many objections as they go through sales cycle. You know, how do you store data? What do you do with our data, right? So by addressing that head-on and really making that a part of functionality, you can take care of that and reduce the sales cycles.
Vijaya Kaza: [00:07:56] And obviously, leading with privacy also shows to your customers that you care about their concerns. And that increases customer loyalty and satisfaction. And therefore, you know, if you are looking at activations, retention rates, renewals, all of those will be automatically better. And it also improves brand reputation at the same time. So addressing privacy the right way with a privacy-first approach will definitely bring a lot of benefits to the business and can really take that problem and burden and convert that into opportunity.
Vijaya Kaza: [00:08:38] Starting with people is the right way to think about privacy because unlike security, privacy is not solved by technology, right? It is a complex people, culture and organizational issue and really requires a cultural shift across the organization. Every employing organization needs to understand how important privacy is to their customers and also think about, OK. Privacy is not just a burden, but I really can turn this into differentiation as we talked about before.
Dave Bittner: [00:09:11] That's Vijaya Kaza from Lookout. Researchers at security firm Tenable disclosed today that they've found several zero-days in IDenticard's PremiSys access control system. These include hardcoded credentials allowing admin access to the system, weak hashing, a hardcoded password and use of default database credentials. Tenable says IDenticard hasn't responded to its private disclosures and that as of last week, no patches were available. Tenable advises that users should make sure their PremiSys instances aren't connected to the internet.
Dave Bittner: [00:09:50] NotPetya hit candy and cookie company Mondelez hard. But their insurer, Zurich, declined to pay their claim on the grounds that NotPetya, which Western governments publicly blamed on Russia, amounted to an act of war. Mondelez, a big confectioner that owns the well-known Oreo and Cadbury brands, is now suing Zurich for $100 million. Bloomberg says this shows the downside of official attribution. Insurance policies of all kinds routinely exclude coverage for acts of war. Wars represent the prospect of the sort of catastrophic damage that would swiftly exceed the insurer's market capacity, thus war exclusion clauses are routine in the insurance industry.
Dave Bittner: [00:10:33] It is possible to obtain some forms of war risk insurance, but it's a lot more expensive and harder to get than other forms of coverage. Thus, war exclusion clauses are standard because of the likelihood that losses in wartime would exceed the insurer's ability to pay, not because a particular actor - a state, let's say - was the agent that caused the damage. Cyberattacks present an interesting case. They certainly can represent a form of warfare and have a clear space on the spectrum of conflict where they've already appeared in hybrid campaigns, like the one Russia has been waging for some years against Ukraine.
Dave Bittner: [00:11:11] On the other hand, it seems instructive that NotPetya, to return to this particular case, initially represented itself as, and was briefly taken to be, a ransomware campaign undertaken by criminal gangs for common criminal financial motives. While the losses companies sustained were substantial, they still seem closer to a big pile up on Interstate 5 than they do to Sherman's March to the Sea. Part of the issue, as Fifth Domain points out, is who gets to say what counts as an act of war. Formal declarations of war have been more or less out of fashion since the United Nations authorized that police action in Korea back in 1950. And several states, the U.S. included, have publicly discussed their ability to conduct cyber operations that don't amount to acts of war. There's a good chance that the Mondelez suit against Zurich will establish some precedents in this regard.
Dave Bittner: [00:12:11] And now a word from our sponsor Virtru. Virtru is a data-privacy company that protects your organization's data wherever it goes. Using a data-centric security approach, Virtru brings persistent protection and control to the platforms where your data is stored and shared, including Microsoft Office 365 and Google G Suite. Now, I know what you're thinking. What makes this different from any other data protection tool? Well, have you ever tried to protect data from inside your perimeter? It's hard. But Virtru makes it easy by not only encrypting at the data object level but also by giving you the ability to track where your data is shared. Revoke access, maintain audit visibility and host your own keys so you don't have to trust third-party services to keep your data safe. Virtru helps protect thousands of companies' data, including HBO, WeWork and the Associated Press. And for a limited time, they're providing our listeners a free copy of Forrester's 14-page report on "The Future of Data Security and Privacy." Get your copy at virtru.com/cyberwire today. That's virtru.com/cyberwire. And we thank Virtru for sponsoring our show.
Dave Bittner: [00:13:36] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute. And he's also my co-host on the Hacking Humans podcast. Joe, great to have you back.
Joe Carrigan: [00:13:46] Hi, Dave.
Dave Bittner: [00:13:46] We wanted to touch today on passwords and some of the new recommendations from NIST. They recently finalized their new guidelines. And there's some interesting changes here. What's your take on this?
Joe Carrigan: [00:13:59] So I like this guidance a lot. No. 1, they have said that you should have a maximum length of characters of at least 64 characters. I was changing my passwords on one of my financial websites the other day and was shocked to find I can only have a 24-character password on that site. It's a good idea to allow them as much space as they want.
Dave Bittner: [00:14:17] Right.
Joe Carrigan: [00:14:17] One of the other things is they talk about restricting passwords from previous breaches. Amazon has actually already been doing this. We had a story a couple of months ago, I think, about people having Amazon contact them and saying, your password's weak. And the way we speculated that that was happening was they were just using a known password list and cracking passwords...
Dave Bittner: [00:14:35] Right.
Joe Carrigan: [00:14:35] ...And then contacting people whose passwords they could crack with that list.
Dave Bittner: [00:14:38] So in other words, if I try to use a new password at a site and if it's a password that's on one of the compromised password lists...
Joe Carrigan: [00:14:46] Right. It's going...
Dave Bittner: [00:14:47] It'll say, this is - try again.
Joe Carrigan: [00:14:49] Right, exactly. And that's great because if that password hash is leaked, that's going to be one of the passwords that gets cracked pretty quickly...
Dave Bittner: [00:14:56] Right.
Joe Carrigan: [00:14:57] ...Because it's on the list.
Dave Bittner: [00:14:58] Right.
Joe Carrigan: [00:14:59] Another thing is - I really appreciate in this is they say, let users enter any characters on this. If they can hit the keyboard and enter that character, they should be able to use that character in their password. I always am wary of sites that don't let me use special characters. I'm concerned that the reason they're not letting me use special characters is because they're afraid of a sequel injection attack, which means that at some point in time or maybe even now, they're not hashing my password because regardless of what I enter, a hashed password will come out with a known set of characters that will not be useful in creating a sequel injection attack. And that's the information you put into the database, not my actual password.
Dave Bittner: [00:15:39] I see.
Joe Carrigan: [00:15:39] Allowing users to enter any characters is great because it increases the key space, as we like to say. But the other thing I want to touch on here that's kind of an important distinction and something that's a little nuanced that may not be apparent is they say that you should no longer force users to change their passwords.
Dave Bittner: [00:15:58] Right. OK, sounds good to me.
Joe Carrigan: [00:16:01] It does sound good.
Dave Bittner: [00:16:01] And the rationale for that is...
Joe Carrigan: [00:16:03] The research has shown that if you force users to change their passwords that they will pick weak passwords and just slightly modify the passwords over time.
Dave Bittner: [00:16:12] Right.
Joe Carrigan: [00:16:13] OK? But if you let them pick strong passwords and don't force them to change it unless there's been a breach or something or some other motivating factor - actually, the NIST standard cites two motivating factors in the articles I'm reading. I can't actually access the NIST standard right now because of the shutdown.
Dave Bittner: [00:16:26] The government shutdown.
Joe Carrigan: [00:16:27] Right.
Dave Bittner: [00:16:28] Yeah.
Joe Carrigan: [00:16:28] But it says if you have a known breach or if the user requests a password change.
Dave Bittner: [00:16:33] I see.
Joe Carrigan: [00:16:34] Yeah, that's an important distinction right there because I recommend that people still change their passwords on sites that they care about regularly.
Dave Bittner: [00:16:42] Yeah.
Joe Carrigan: [00:16:42] For example, any financial institution that you do business with, you should change the password on that with some regularity that you're comfortable with the risk level on.
Dave Bittner: [00:16:50] OK.
Joe Carrigan: [00:16:50] And that is different from being forced to have your password changed. In my workflow, I'm thinking of a person who's using a password manager so they're always producing a random 20-character password. They're not really remembering the password.
Dave Bittner: [00:17:02] Right.
Joe Carrigan: [00:17:02] And they're just going to go ahead and change the password every, like, six months or maybe every year. Forcing users to change their password after you know that there's a breach protects the users against the known breach. But changing your password with some regularity protects you against the unknown breach. So the site may have been breached or the password may have been leaked out, and attackers are immediately going to start cracking those passwords. You have some amount of time if you have a good complex password, but you don't have forever. And you can change that password and by - and then when they do crack your password in a year or so or maybe in 10 years, your password will no longer be valid because you will have changed it.
Dave Bittner: [00:17:40] I see. That's an interesting nuance.
Joe Carrigan: [00:17:42] Yeah, it is.
Dave Bittner: [00:17:44] So put yourself on a regular schedule. Set a reminder in your calendar. Hey, its new password day.
Joe Carrigan: [00:17:49] Right. It's - well - or if you use a password manager like the one I use, Password Safe, that's free and open source, then you can actually set those passwords to expire. And your password manager will remind you to change them.
Dave Bittner: [00:18:01] All right. You know, that's an interesting insight. That is a subtle nuance, but it does make a difference there. Yeah. All right. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:18:09] My pleasure, Dave.
Dave Bittner: [00:18:14] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.