Security companies allegedly hacked by Fxmsp remain unidentified. SharePoint bug exploited in the wild. G7 preps major cyber exercise. Anthem hack motive? Amnesty takes NSO Group to court.

Dave Bittner: [00:00:04] Fxmsp criminals are now said to have code from a fourth security company, but none of the claimed victims have been publicly identified. A SharePoint vulnerability is being exploited against unpatched servers in the wild. The G-7 are preparing a major exercise to evaluate the financial system's ability to withstand a major cyberattack. No one is saying what the Anthem hackers were after. Amnesty takes NSO Group to court. And the Pentagon takes a security look at VCs.

Dave Bittner: [00:00:39] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. According to a recent CA Technologies research report, 53 percent of organizations confirmed insider attacks within the last 12 months. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See. Most security tools only analyze computer, network or system data. But to stop insider threats, you need to track a combination of user and data activity. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT free - no installation required - at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:46] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, May 13, 2019. The gang Fxmsp, widely active in both Russian- and English-speaking hacker black markets, may have stolen code from a fourth security company. This story remains obscure after it broke last week. For one thing, none of the alleged affected companies have been publicly named. And there's still hope that there may be less to the story than people fear.

Dave Bittner: [00:02:16] The researchers at security firm Advanced Intelligence say they have moderate to high confidence that Fxmsp has the goods it says it does, which are said to include source code. The evidence for this consists of screenshots and Fxmsp's claims that they're selling antivirus companies' crown jewels, a project they say they've been working on for six months.

Dave Bittner: [00:02:39] How could this still prove to be more smoke than fire? SC Media UK quotes Synopsys CyRC's Tim Mackey, who points out that the screenshots that accompany Fxmsp's ballyhoo appear to show assembly code. And that, Mackey says, is something you can get by running a debugger on an application. It doesn't require access to source code. It would be more disturbing if there were solid evidence that Fxmsp had the access to the security company networks the gang says it has. It's worth noting that Fxmsp has, for now at any rate, pulled its wares from some of the black markets where they've been offered. The criminal group says they think one of their sources has been compromised.

Dave Bittner: [00:03:23] A known SharePoint vulnerability is being actively exploited in the wild. AT&T Alien Labs is tracking incidents involving CVE-2019-0604, a vulnerability Microsoft addressed in late winter. The Canadian Centre for Cyber Security warned last month of China Chopper malware hitting unpatched servers. Saudi Arabia's national center for cybersecurity has also observed remote code execution exploitation of the vulnerability.

Dave Bittner: [00:03:53] The obvious lesson from this is if you can patch, patch, especially if patching is relatively unproblematic, as it is in such cases. Yet enterprises continue to show the usual horror of the obvious. Consider WannaCry. TechCrunch reports that Shodan searches reveal that there are still 1.7 million unpatched end points out there still vulnerable to the North Korean attack code.

Dave Bittner: [00:04:18] Thomson Reuters reports that the G-7 are preparing a major exercise next month that will simulate a cross-border cyberattack against financial services and associated infrastructure. The Bank of France is taking the lead in the exercise. And they say that it, quote, "will be based on the scenario of a technical component widely used in the financial sector becoming infected with malware," end quote. All members of the Group of Seven will participate. Canada, France, Germany, Italy, Japan, the United Kingdom and the United States will all be involved.

Dave Bittner: [00:04:51] The U.S. indictment of two Chinese nationals last week - one named, the other identified but named only as John Doe - has raised some questions. The U.S. Justice Department alleges that they're behind the big Anthem attack of 2015. But what were they after? It's not clear, if it were a purely criminal operation, how they monetized the data because the data don't appear to have shown up for sale in the usual places. And if it was espionage on behalf of a nation state like, obviously, China, why didn't the Justice Department come out and say so?

Dave Bittner: [00:05:25] Amnesty International intends tomorrow to petition the District Court of Tel Aviv to direct that Israel's Ministry of Defense revoke NSO Group's export license. NSO's lawful intercept tool Pegasus is alleged to have been improperly used in surveillance by the governments of Mexico, Saudi Arabia and the United Arab Emirates.

Dave Bittner: [00:05:47] The New York University School of Law's Bernstein Institute for Human Rights and Global Justice Clinic is supporting the suit. Pegasus is called a lawful intercept tool, by the way, because that's the industry term of art for software sold to legitimate law enforcement and counterterrorist organizations. It doesn't mean that any use of such a tool is by definition lawful.

Dave Bittner: [00:06:09] At issue in the dust-up between Amnesty and NSO Group is the quality of NSO Group's customers because, of course, such software can be easily abused if it's sold to repressive or corrupt regimes or even to not-so-bad regimes that see themselves hard-pressed. Amnesty, which says its own people have been targeted with Pegasus, wants, among other things, more transparency concerning NSO Group's due diligence with respect to its customers. The rights group dismisses the company's remarks about an ethics board as so much eyewash and handwaving.

Dave Bittner: [00:06:44] To pick two contrasting police agencies, neither of which are alleged to be NSO customers, it's not as if you're always selling to the Royal Canadian Mounted Police - to take a police outfit with a generally good reputation. Yes, yes, and we're sure you'll let us know that the Mounties have their issues too, which no doubt they do, being a human institution. But surely one can see the difference between the RCMP and, say, the law enforcement force of the Islamic Republic of Iran. They're apples and oranges, friends. Just ask Inspector Fenwick. But from two such examples, it should be easy to infer the principle and move on from there.

Dave Bittner: [00:07:23] And there are differences around the world as to how seriously judicial independence and the rule of law are taken. NSO Group is an Israeli firm, which is one reason the action will be filed in Tel Aviv. But there's also some reasonable expectation that the suit will receive a fair hearing. In many parts of the world, no one would bother. What, night court in St. Petersburg or Shanghai? Please. Consider that the complaint against the Chinese hackers for the Anthem breach was filed in Indianapolis, not Shenzhen. We're familiar with efforts to secure the supply chain. Securing the venture community is now also receiving attention following incidents in which Chinese government money found its way into startups and in which sensitive technology may have found its way out and back to Beijing.

Dave Bittner: [00:08:10] The U.S. Defense Department is moving forward with its trusted capital marketplace program. This is intended to connect entrepreneurs with investors who don't represent a security threat by compiling a vetted list of VCs suitable for tech startups to consider.

Sound Effect: [00:08:26] (SOUNDBITE OF BUGLE PLAYING)

Dave Bittner: [00:08:32] And finally, we say farewell to one of the last of the U.S. Marine Corps Code Talkers. The Navajo Nation announced that Fleming Begaye Sr. passed away Friday in Chinle, Ariz., at the age of 97. The Second World War veteran served at Tarawa and Tinian, two of the toughest Marine Corps battles of the Pacific campaign. Rest in peace and semper fi, Mr. Begaye.

Sound Effect: [00:08:57] (SOUNDBITE OF BUGLE PLAYING)

Dave Bittner: [00:09:12] Now a moment to tell you about our sponsor, ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations - to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms" - everything you need to know about security, orchestration, automation and response. The book talks about intelligence-driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:10:29] And joining me once again is Jonathan Katz. He's a professor of computer science at the University of Maryland, and also director of the Maryland Cybersecurity Center. Jonathan, it's great to have you back. Saw an article come by recently, and it was explaining something they refer to as differential privacy. They're using some examples of the Census Bureau here. Can you describe to us, what are we talking about?

Jonathan Katz: [00:10:49] So differential privacy is a technique that was introduced by computer scientists about roughly 15 years ago or so. And basically, what it's meant to do is provide privacy for individuals who are taking part in some study. So like you were saying, here they're talking specifically in the context of the U.S. Census, where the Census Bureau is going to collect lots of information about people across the U.S. and then release information, say, on a neighborhood-by-neighborhood level.

Jonathan Katz: [00:11:14] And the concern is that you don't want that information that's being released to reveal something private about an individual or even a small group of individuals. And so differential privacy provides a way to think about the privacy of statistical analyses of this sort.

Dave Bittner: [00:11:30] And so how does it work?

Jonathan Katz: [00:11:32] Well, there are lots of different techniques that people are proposing. What this article was mentioning specifically was an - actually an old idea called randomized response. And this you can think about as being applied when you're asking people a potentially sensitive question. For example, have you ever used drugs? And so people might not want to give the true answer, especially if that answer is yes. So what you can do, essentially, is have the person flip a coin or flip a couple of coins privately so even the person asking the question doesn't see what the result is, and then to basically give an incorrect answer, so to lie with some small probability.

Jonathan Katz: [00:12:09] So let's just say that, you know, 10% of the time, you'll be told to lie, and 90% of the time, you'll be told to tell the truth. So the point is that now, when somebody asks me - right? - have you used drugs, even if I answer yes, it's not clear whether the true answer is yes or whether the true answer is no and I'm just lying because I'm in the 10% of the time when I'm supposed to lie.

Jonathan Katz: [00:12:29] And so therefore, it gives you a sort of plausible deniability. You can prove it actually gives you some formal notion of privacy. But nevertheless, it turns out that because you're only lying with a small probability, the researchers can still use the answers to those questions to do statistical analysis over the result.

Dave Bittner: [00:12:45] Now, is this what - when I hear people refer to a fuzzing mechanism, is this what we're talking about?

Jonathan Katz: [00:12:51] Yeah, essentially. So in that case, like I was describing, individual people are adding noise or fuzzing their own answers. But you could also imagine doing this through a centralized mechanism. So there, everybody would tell the truth to the Census Bureau, let's say. But then, what the Census Bureau would do is, before releasing any information publicly, they would themselves add noise to that data. And so that, again, provides a notion of privacy for everybody who took part in the study.

Dave Bittner: [00:13:17] And is this reliant on having a large enough dataset that any one individually flipped answer is going to fall within that realm of, I guess, statistical insignificance?

Jonathan Katz: [00:13:29] Yeah, exactly. So that's actually an important point that you bring up. You do need more people to participate. Or conversely, if you have the same number of people participating, then adding this noise does degrade the quality of your answer. But researchers have studied exactly the trade-offs involved, and you can basically try to tune the amount of privacy you get with the noise you add, and then that determines, basically, how accurate the results you're getting are. So these are a bunch of parameters you have to play with, allowing you to tailor the privacy versus the accuracy.

Dave Bittner: [00:13:59] And the bottom line is that these techniques seem to work.

Jonathan Katz: [00:14:02] Well, they definitely work in theory. You know, what's interesting in particular is that the Census Bureau is actively working on pushing these results into practice. And they're going to see exactly how far they can push them, how usable these techniques are, how efficient they are and whether it will, in the end, give them results that are accurate enough for their purposes. It looks like it's going to happen. And I guess it will happen, but it'll be interesting to see how that all plays out.

Dave Bittner: [00:14:28] Yeah. All right. Well, Jonathan Katz, thanks for joining us.

Jonathan Katz: [00:14:31] Thank you.

Dave Bittner: [00:14:36] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:14:49] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcasts.

Dave Bittner: [00:15:17] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell. Our staff writer is Tim Nodar, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.