The CyberWire Daily Podcast 5.7.19
Ep 838 | 5.7.19

Reverse engineering Equation Group attack tools (and putting them to bad use). Hacking, jamming, and airstrikes. Taking down coordinated inauthenticity. How big is the dark web?

Transcript

Dave Bittner: [00:00:03] Buckeye seems to have re-engineered some of Uncle Sam's cyber tools. And, apparently, they did it without help from The Shadow Brokers. More on airstrikes as retaliation for hacking with some thoughts on electronic warfare. Notes on malicious commitment as one of the hazards of open source software development. How big is the dark web? Big enough but maybe not as big as everyone thinks. And beware of bogus "Avengers: Endgame" sites.

Dave Bittner: [00:00:35] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings. But it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web by identifying new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top-trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:42] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, May 7, 2019. Researchers at security firm Symantec have concluded that the Buckeye group has obtained Equation Group's cyberattack tools and used them against a variety of targets, including several U.S. allies. The Equation Group, of course, is generally alleged to be the U.S. NSA. Symantec doesn't call Buckeye Chinese intelligence services but comes as close to everybody else does as to make no difference. The tool's use apparently antedates The Shadow Brokers' leaks by about a year. And Symantec thinks, The New York Times reports, that the code was captured and reverse engineered when it was employed against Chinese networks. The Times compares it to a gunslinger's grabbing the other gunslinger's peacemaker during a showdown and then blasting back with it. The other possibilities - that the attack code was found inadvertently exposed on a poorly secured server, that it was obtained by hacking or that it was delivered by a rogue insider - are thought to be significantly less likely.

Dave Bittner: [00:02:46] Specifically, what Buckeye got was the double-pulsar backdoor and the Bemstar installation tool. It did not use them against U.S. targets, either because Buckeye assumes the Americans would be wise to their own exploits or because they wished to avoid tipping their hand to Fort Meade. Instead, the threat actor targeted, as far as known, scientific research organizations and educational institutions in Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong. In at least one case, government networks were also attacked.

Dave Bittner: [00:03:20] Buckeye is also known as APT3 or, our personal favorite, Gothic Panda. And it's generally held to be a contractor in Guangzhou, working for China's Ministry of State Security. The company is the Guangzhou Boyu Information Technology Company Limited, but it's also known as Boyusec. You may have heard of them. They're the employers of the three gentlemen the U.S. Justice Department indicted in November 2017 on charges of computer hacking, theft of trade secrets, conspiracy and identity theft directed at U.S. and foreign employees and computers on three corporate victims in the financial, engineering and technology industries between 2011 and May 2017. They're out of the reach of U.S. law for now unless and until they decide to vacation in some extradition-friendly vacation destination. We hear Vancouver is lovely this time of year.

Dave Bittner: [00:04:11] But the indictment seems to have made Boyusec pull in its contractors' horns a bit. In any case, as several have observed, Boyusec went quiet after the Justice Department went noisy. And therein lies maybe another tale. As Symantec pointed out, if Boyusec is maybe out of the business, then who's using the tools? - because they've been used since Boyusec dropped off the radar. Have they come quietly back, or have they given the tools to someone else? As a Symantec researcher put it, people come and go. The tools live on.

Dave Bittner: [00:04:46] Observers are drawing several lessons from the incident. First, it seems that cyberattack tools are less easy to contain, more susceptible to proliferation than are other tools of statecraft. Second, many would really like intelligence services to do a better job of securing their tools. Third, cyberattack code seems inherently backward-striking and capable reverse engineering makes this even more likely to be a risk. And finally, some are calling for another review of the U.S. vulnerability equities process, which decides which zero-days to report for patching and which to hold on to for use against the opposition.

Dave Bittner: [00:05:24] The Advanced Cyber Security Center or ACSC is a member-driven nonprofit whose mission is to strengthen cyberdefenses, develop security talent and advocate for well-informed public policy. They recently published a report outlining how boards should be active governance partners in collaborative cyberdefense. Michael Figueroa is executive director of ACSC.

Michael Figueroa: [00:05:47] The report itself has a number of sort of findings. But as a security executive, I really kind of honed in on two primary key points. And the first point is really from the board perspective. Rather than try to become security experts or bring in one director to serve as the security expert, I think what we found is boards should really support their CISOs by holding the whole leadership team responsible for assessing cyber risks against business risks. So I - you know, that's really looking at it from that board responsibility-oriented perspective.

Michael Figueroa: [00:06:23] But, of course, I wouldn't say that the security executives are without responsibility either. In order to - for the board to really be effective at that, I think security executives that are most effective at building constructive board relationships are the ones who are able to get out of the technical weeds and seek to build leadership coalitions across the organization on mitigating cyber risks, comparing cyber risks to business risks. So it's really a sort of two-pronged approach that then the report digs into some of the key findings, experiences and techniques for how the organizations can improve those communications.

Dave Bittner: [00:07:01] So as you see it, I mean, to what degree is it a board member's responsibility to educate themselves on cyber issues?

Michael Figueroa: [00:07:10] You know, it's been a really, really long sort of conversation lately. I think that the security community will generally say that board members need to be more educated in security. But I would say that's - based on our findings, that's really not the right direction because it's not the board's responsibility to dictate how the security programs should be executed. It's really the board's responsibility to be able to help the organization and the leadership make strategic decisions based on their governance function.

Michael Figueroa: [00:07:48] So to do that, I think it's a much easier path to go for the board to be able to leverage its understanding of business governance and require the leadership team to really partner with the security executives to understand how cyber risks affect their areas of business so that the board can then make better strategic decisions without some idealistic overlay of what a security-informed board member should be.

Michael Figueroa: [00:08:22] What we're finding CISOs are getting locked up in is they're trying - they're reporting on metrics as they understand security and then are forced to spend much of their limited time in front of the board trying to explain what those metrics mean. I think it would be much more effective - and what the report is sort of showing us is more effective - for the CISOs to align their measurements against the performance of the business and then engage in that board-level conversation so that then they can seek the resources that they need to really mitigate the business risks versus trying to hone in on specific cyber risks.

Michael Figueroa: [00:08:59] We're in a transition stage - what I've been seeing right now - where the older generation of CISOs - or let's say the more seasoned generation of CISOs - are CISOs who inherited their position at large enterprises, for example, because they've been at the enterprise for a long time, and they're starting to retire out. That's opening up a new pool of CISOs to really start standing up into those larger, enterprise-oriented positions. And what's happening there is that the first generation of CISOs were very, very business-oriented and sort of learned security through the process of the evolution of the organization versus newer CISOs that tend to be much more technically sound and technically oriented but are much more comfortable in the technical side of security versus the business side of security.

Michael Figueroa: [00:09:48] So those that are being most successful are the ones who are able to effectively translate their technical knowledge to a business-oriented audience versus those that want to dive into the weeds and support their teams but aren't able to really engage in building those partnerships at the business leadership levels.

Dave Bittner: [00:10:10] That's Michael Figueroa. He's the executive director of the Advanced Cyber Security Center. The report is titled "Leveraging Board Governance for Cybersecurity." You can find it on their website.

Dave Bittner: [00:10:21] Israel's airstrike against a Hamas cyber operations center continues to be seen by many as a radical shift in the nature of combat. The future is here, and it features hackers getting bombed, as foreign policy puts it. Wired's more nuanced discussion sees the novelty in the near real-time retaliation and its public avowal by the Israeli government. What the hackers were engaged in doing is unknown, not having been part of that public discussion. But consider that as cyber operations and electronic warfare converge, whether the Gaza strike might be more like hitting an enemy jammer than something altogether new under the sun. Not all retaliation, of course, is kinetic. Sometimes, you jam the enemy emitter. And sometimes, even a private company can do it.

Dave Bittner: [00:11:07] Facebook just did so this week, taking down 97 groups' pages and accounts in an action against Russian-coordinated inauthenticity deployed against Ukraine. Binding and stopping inauthenticity continues to seem like a better and easier bet than direct content moderation. And sometimes you'll even leave the emitter alone because it's doing the opposition more harm than good. Perhaps it's telling its people what you would prefer they heard. Sometimes, it broadcasts nonsense, unintentionally darkening counsel with wayward folly. Sometimes, it's a self-jamming platform, some colonel or master sergeant who just loves, loves, loves to send their voice and the thoughts that voice carries out across the ether to the exclusion of all other communication. And sometimes, what you're collecting from a given emitter might just be more valuable than what the opposition's doing with it.

Dave Bittner: [00:12:01] We continue the CyberWire's coverage of the inaugural Global Cyber Innovation Summit in Baltimore last week. Among the discussions came a warning about the supply chain. It may be wise to assume hardware is compromised. And as for software, the industry as a whole hasn't come to grips with the implications of the very widespread use of open source code. What of the problem of the malicious committer? Security industry leaders and venture capitalists closely engaged with them shared some thoughts. A great deal of this is open source and, increasingly, producers of open source software have little or no relation to the software's consumers. With 80 to 90% of any given software product being written by unknown people with equally unknown skills, qualifications and motivations, one of the panels said we now face the problem of the malicious committer. Sonatype executive Wayne Jackson warned working your way into a project and introducing coding errors is pretty trivial.

Dave Bittner: [00:12:58] Recorded Future takes a demystifying look at the dark web. What is the dark web, you might ask? Recorded Future's simple definition is as good as any. It's any worldwide web content that requires specific software, configurations or authorization to access. The Tor network is a part of the dark web that many will be familiar with. What Recorded Future found is that there's a lot less to the dark web than the familiar iceberg metaphor would suggest. It's not that 90% of the internet is down there invisibly submerged in the dark web. In fact, it's just the opposite. About 90% of online stuff is up on top, visible to all - alas, we might say all too visible. In Recorded Future's infographic, there's plenty of room for the happy whale in their illustration to pass beneath the iceberg without so much as a loss of a barnacle. So there's bad stuff out there in the dark web, but only around a hundred or so sites are doing bad things like hawking contraband.

Dave Bittner: [00:13:56] And finally, we fear this is another dog-bites-man story. But apparently, it needs to be told again. Sites promising pirated downloads of movies, television programs, songs and so forth are bad mojo. In fact, don't tell Thanos, but there is a sketchy "Avengers: Endgame" site out there that promises downloads of the movie. It should be unnecessary to say this but, apparently, it's not. The site is not an official Marvel one and, unsurprisingly, it's actually involved in credential harvesting. Giving up your credentials is like giving up the time stone to someone other than Dr. Strange or the ancient one. Don't go there. You don't want to get dusted.

Dave Bittner: [00:14:40] And now a few words from our sponsor KnowBe4. Everyone knows that multi-factor authentication or MFA is more secure than a simple login name and password. But too many people think that MFA is a perfect, unhackable solution. It isn't. Learn from Roger Grimes, KnowBe4's data-driven defense evangelist in an on-demand webinar, where he'll explore 12 ways hackers can and do get around your favorite MFA solution. The webinar includes a hacking demo by KnowBe4's chief hacking officer, Kevin Mitnick, and real-life successful examples of every attack type. It will end by telling you how to better defend your MFA solution so that you get maximum benefit and security. Go to knowbe4.com/mfa to watch the webinar. That's knowbe4.com/mfa. And we thank KnowBe4 for sponsoring our show.

Dave Bittner: [00:15:45] And I'm pleased to be joined once again by David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's great to have you back. We wanted to talk today about HTTPS and some safety information you wanted to share about that.

David Dufour: [00:16:02] Yes. So always good to be here, David. Thank you for having me back. You know, let's talk a little about - a bit about HTTP and HTTPS. And, you know, I think most folks are familiar now that an HTTP is basically an open connection, and people can see network traffic and information going back and forth. And they've learned to look for that HTTPS, which means it's secure, and the little lock that says, hey, my connection is secure. And, you know, you feel good about that, right, David?

Dave Bittner: [00:16:31] Right. Sure. Yeah.

David Dufour: [00:16:32] Well, there's some concerns here. One of them is that with HTTPS, many of the common techniques for monitoring where you're going on the internet to make sure you're not landing on malicious websites can't read that secure traffic, which makes sense. The reason you want an HTTPS connection is you don't want anyone seeing your traffic. But that same security is blocking a lot of the tools that exist today that would prevent you from going places you shouldn't go. So there's a concern there.

Dave Bittner: [00:17:08] Sort of a natural tension there.

David Dufour: [00:17:09] Correct. And obviously, the question becomes, am I more concerned about my privacy or am I more concerned about where I'm browsing on the internet? - because, you know, some of your folks might be wondering, well, aren't all HTTPS sites secure and safe? Well, they're not. HTTPS - what it is doing is basically making sure the communication between your browser and the website on the other end is encrypted. It makes no determination if the website on the other end is a malicious website or not. It's just as easy for somebody setting up a malicious website to register and get a certificate to make that secure connection as it is for a legitimate business to do it.

Dave Bittner: [00:17:50] Now, you all have been tracking some examples of this. Wasn't there a recent phishing campaign involving some folks faking some Facebook logins?

David Dufour: [00:17:59] Yeah, so we do see a lot of not just with Facebook, but you're absolutely right with Facebook where people will set up these HTTPS sites. They look legitimate. They look like Facebook. They look secure because you have the lock. But you're actually not on a legitimate Facebook site or, you know, some other site. And it really makes it more difficult to make a determination because we've all been taught, look for the lock. Make sure that the URL looks good. And you're, in fact, on a malicious site.

Dave Bittner: [00:18:29] Isn't some of that changing? Aren't some of the - the browser suppliers are going to be adjusting how some of those look on the page, trying to get away from that lock being a symbol of security?

David Dufour: [00:18:41] Well, they are starting to figure out how they can make that determination, that that isn't the only sense of security. But it's not going to be holistic or exactly definitive on how that's going to play out in the marketplace. So I - you know, if you're using HTTPS, which you should be - we're not sitting here on this podcast today, David, saying you shouldn't use it. Just - you've got to be aware of where you're going. And just don't make the assumption that the site you're on is good.

Dave Bittner: [00:19:10] Yeah, don't let it give you a false sense of security.

David Dufour: [00:19:12] That's exactly right. And again, you should be looking at things that protect you at the network layer - not just on the endpoint but things that are monitoring your DNS to make sure you're not being routed to malicious sites. And make sure the certificates have good reputation, which all your folks are wondering, how do I do that? Again, that's looking at the lock and making sure it's green. But don't just trust that because your lock is green, you're good.

Dave Bittner: [00:19:36] Yeah, because those security certificates aren't so hard to get.

David Dufour: [00:19:39] Correct.

Dave Bittner: [00:19:40] All right. Well, David Dufour, thanks for joining us.

David Dufour: [00:19:42] Hey, it's been great being here, David.

Dave Bittner: [00:19:50] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:20:01] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor - Jennifer Eiben, technical editor - Chris Russell. Our staff writer is Tim Nodar, executive editor - Peter Kilpe. And I'm Dave Bittner. Thanks for listening.