NATO and UK to Russia: hands off elections and infrastructure. More trouble for Huawei, and maybe for others. Notes from the Cyber Investing Summit. Equifax downgraded over 2017 breach. Is it art?
Dave Bittner: [00:00:03] The U.K. and NATO send Moscow a pointed message about the consequences of meddling with either infrastructure or elections. More companies, including ARM, decide they won't be working with Huawei. Other Chinese companies seem headed for U.S. blacklisting. Moody's cuts Equifax's rating over its 2017 breach. Notes from last week's Cyber Investing Summit. And we may not know much about art, but we know what we like.
Dave Bittner: [00:00:35] And now a word from our sponsor, ExtraHop, the enterprise cyber analytics company delivering security from the inside out. Have login credentials been compromised? Are attackers hiding in encrypted traffic? Enterprise security teams face questions like these every day, but without complete visibility inside your network, your investigation could take hours or even weeks, and that's assuming you are able to detect potential threats in the first place. ExtraHop helps you rise above the noise of your complex attack surface with complete visibility, real-time threat detection powered by machine learning and guided investigations the SANS Institute calls fast and amazingly thorough. Learn more at extrahop.com/cyber, or be the blue team in the interactive demo. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:32] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, May 23, 2019. The U.K.'s National Cyber Security Centre has warned 16 NATO allies of Russian activity directed against infrastructure and government networks. Today's disclosure came from Secretary of State for Foreign Affairs Jeremy Hunt, speaking before a gathering at the NCSC. Mr. Hunt said that, quote, "Russia's intelligence services are targeting the critical national infrastructure of many countries in order to look for vulnerabilities," end quote. He called it a global campaign that also seeks to compromise central government networks.
Dave Bittner: [00:02:14] NATO Secretary General Jens Stoltenberg, who appeared with Mr. Hunt, warned Russia that NATO has a full range of responses to cyberattacks available, and that Moscow shouldn't count on the Atlantic Alliance being reluctant to use them. The tough line comes shortly after the European Union decided to enact a system for sanctioning people and states that engaged in cyberattacks. It also comes as voting begins for European Parliament.
Dave Bittner: [00:02:43] More companies are severing business ties and plans with Huawei. In this round, they're not American companies. British chip giant ARM will join Intel and Qualcomm in stopping business with Huawei. According to internal memorandum obtained by the BBC, ARM has told its employees to stop contact with Huawei personnel. The Washington Post says that Vodafone and BT Group have decided to suspend plans to include Huawei phones in their 5G networks. The ARM decision is regarded as particularly damaging. Huawei denies posing a security threat and says it considers the blacklisting politically motivated.
Dave Bittner: [00:03:22] The Telegraph lists other Chinese companies thought likely to wind up in Huawei's boat - surveillance equipment vendors Hikvision and Dahua, facial recognition providers CloudWalk and SenseTime, drone maker DJI and, of course, Huawei's smaller rival, ZTE. Hikvision's and Dahua's billionaire founders are set in particular to have taken a big financial bath that got deeper and soapier at midweek, as the U.S. seemed to turn its attention to them. In their case, concerns about security are joined by international distaste for the company's role in enabling Beijing's domestic surveillance policies.
Dave Bittner: [00:04:02] Sydney Freedberg is deputy editor at breakingdefense.com. He and his colleague, Theresa Hitchens, recently published a story titled "Can NSA Stop China Copying its Cyber Weapons?" The CyberWire's Tamika Smith spoke with Sydney Freedberg.
Sydney Freedberg: [00:04:17] There was a release from Symantec, which, like all the big antivirus companies, very carefully tracks threats around the world, which was then picked up by The New York Times, that said Symantec doesn't want to offend anybody who actually has nuclear missiles. So they say Buckeye and Equation Group, but those are, in fact, their code names for China and the National Security Agency - said that, basically, we already knew that some cyber weapons, programs that are used to get in other people's networks, from NSA had been leaked - previously, there were some in WikiLeaks - gotten loose and had been - picked up other players, including the Chinese. But recently, they've found evidence the Chinese were using some of these NSA tools before that leak happened.
Sydney Freedberg: [00:05:05] So how did they get them? And what Symantec deduced, you know, using their technical means - I'm not qualified to say, you know, independently, whether this was rare (ph) or not - probably happened is when the software was copied - the malware was copied onto the target network in China to spy on the Chinese, it didn't erase itself or didn't erase enough of itself so that they actually were able to copy the software used against them and shoot it back, not at us, but at other targets, including some of our allies.
Tamika Smith: [00:05:35] So the blueprint didn't self-destruct?
Sydney Freedberg: [00:05:37] This is the tricky part about cyber warfare. I mean, if I drop a bomb on a country, it blows up, right? I mean, there's - there are bits and pieces. If it duds, yeah, they can take it apart and see how it works, but it's not like it's carrying its own blueprint around with it, right? You know, if they - somebody can steal a plane from you. And that would happen with defectors in the Cold War. People would fly Russian planes to us. But even though you had the physical thing, you didn't have the blueprint. Well, a cyber weapon is a computer program; it is a line after line after line of code. It is its blueprint. There is no distinction between the blueprint that does - the thing that tells you how it works and how to build it, and the thing itself. So by using it, just by - and putting into action, it has to go on the target's machine, it has to copy itself, and the stuff it is copying onto their machine has to be the stuff that tells you how to build it because that's what the code is.
Tamika Smith: [00:06:32] So staying on that point, if we know that at this point, the cyber weaponry is highly dangerous, is there any way that they're thinking about creating a tamper-resistant method and stopping the development of what they're doing now?
Sydney Freedberg: [00:06:46] This is a big debate I tapped into. Me and my colleague, Theresa Hitchens, who helped me with the story, asking experts in this field, you know, can we actually make this stuff that's tamper-resistant? You know, this tape will self-destruct in three seconds - right? - from the old "Mission: Impossible" series. Can you do that with cyber weapons? And yes, you can to an extent. You don't have to have this stuff leaving itself around or copying itself, you know, willy-nilly across the internet, which kind of happened with Stuxnet, for example. That was probably the thing we and the Israelis built to damage the Iranian nuclear program but also got into the wild. It didn't destroy anything it wasn't targeted it at, but it was - had copies all over the place that people could find and reverse engineer.
Sydney Freedberg: [00:07:29] It's possible to create something that doesn't copy itself like that and erases what copies it made. But at some point, as it's executing the code during the attack, that code has to be on the system. It has to be in the target's computer. And that means, if they are actually able to watch what's happening in their own computer in real time - which is a perfectly reasonable security system to have for other purposes, anyway - they can record the code before it erases itself. So this is possibly an inherent weakness of cyber weapons, a way they're a double-edged sword that physical weapons are not.
Tamika Smith: [00:08:03] So what's next?
Sydney Freedberg: [00:08:04] That is tricky. I mean, the NSA - now, I've heard people say, you know, the NSA had gotten a little cocky about its ability to penetrate other people's networks and not get penetrated in return, and that, you know, disclosures like Snowden, so forth, were a humbling experience. So I would hope - you know, obviously, no one is giving me secret briefings. I'm a reporter - but I would hope that NSA, United States Cyber Command and other U.S. agencies that use cyber weapons are being much more careful about, you know, who has access to the code and much more careful about what part of the code actually has to go on the target machine, as opposed to, you know, it would be operating remotely, and what part - and how that code erases itself after it's done its mission.
Sydney Freedberg: [00:08:59] And technically, those are all things you can do, but there may be, you know, a limit, as I said, to - or a point where there - you know, there is always going to be some vulnerability to this kind of weapon because it's a weapon made of pure information.
Tamika Smith: [00:09:12] Thank you so much, Sydney, for joining the program.
Sydney Freedberg: [00:09:15] My pleasure.
Tamika Smith: [00:09:16] Sydney Freedberg is a deputy editor of the online publication Breaking Defense. He wrote the article, "Can NSA Stop China Copying its Cyber Weapons?" You'll be able to read more about this article at breakingdefense.com.
Dave Bittner: [00:09:30] Equifax continues to suffer from its 2017 breach. Moody's downgraded the credit bureau's outlook from stable to negative, citing long-term effects of Equifax's security and infrastructure costs. CNBC quotes Moody's as saying, "This is the first time a cyber incident has driven such a downgrade."
Dave Bittner: [00:09:51] We have a few quick notes on last week's Cyber Investing Summit in New York City. First, one of the consequences of the move to 5G appears to be greater dependence on satellites to carry internet traffic. This will, in all likelihood, require that new generations of communications satellites be reprogrammable, and with such flexibility, comes vulnerability. What can be reprogrammed can also be hacked. So look to the skies, security people.
Dave Bittner: [00:10:18] And in a keynote, Roger Thornton, AT&T Cybersecurity's vice president of products and technology, asked how we wound up with 3,000 or so cybersecurity companies. Do we need that many? He noted that consolidation of cybersecurity companies is already underway. Of those 3,000-some firms, Thornton said, the revenue of the top five companies accounts for some 10% of the sector's total revenue. That's far from an oligopoly, but it does suggest the industry is ready for some consolidation.
Dave Bittner: [00:10:51] And finally, we don't know much about art, but we know what we like, and we're liking this a lot, although maybe not to the tune of 10,000 Benjamins. What's this we're talking about? We're talking about art, friends. The work in question is The Persistence of Chaos, a piece by Guo O Dong that consists of a laptop running WannaCry and other malware that's up for auction with bids starting north of $1 million. Don't worry - the installation is airgapped.
Dave Bittner: [00:11:23] The Persistence of Chaos is 10.3 by 1.2 by 7.3 inches. At 2.8 pounds, it's clunky for a tablet alternative but quite svelte as a piece of cyber sculpture. The malware includes ILoveYou, MyDoom, SoBig, the critics' favorite WannaCry, DarkTequila and DarkEnergy. This haunting Borgesian work concerned with the interplay of cyber and financial space assembles a list of the losses each strain of malware imposed, challenging and deconstructing our preconceptions about the very ground of its reference, which might be taken as the problematic of money and state power.
Dave Bittner: [00:12:01] Also, if you get close enough to the screen, it's probably pretty immersive, too, although you wouldn't want to leave nose prints on the display, especially if you ponied up more than a million bucks for it. Did we mention that Persistence of Chaos is airgapped? The concern for safety seems right. The Persistence of Chaos was commissioned by and supported by deep instinct, the AI and deep learning firm that's headquartered in New York City, which is also the headquarters of the art world. So good for them for keeping it safe.
Dave Bittner: [00:12:32] It's worth noting that they also lawyered up, as the catalog puts it, quote, "The sale of malware for operational purposes is illegal in the United States. As a buyer, you recognize that this work represents a potential security hazard. By submitting a bid, you agree and acknowledge that you're purchasing this work as a piece of art or for academic reasons and have no intention of disseminating any malware. Upon the conclusion of this auction and before the artwork is shipped, the computer's internet capabilities and available ports will be functionally disabled," end quote.
Dave Bittner: [00:13:05] So you see, it's sanitized for your protection. We'll see if that hold-harmless clause holds up in court. So before you chuck out that Amiga you let get infected with Byte Bandit and have stuck somewhere in your parents' garage, think again - you could be sitting on artwork gold, friend. So OK, but for all the fun we're having with the Persistence of Chaos, let's send a discreet bit of applause or at least a beatnik finger snap to Deep Instinct for thinking about cyber art.
Dave Bittner: [00:13:39] Now a moment to tell you about our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. According to a recent CA Technologies research report, 53% of organizations confirmed insider attacks within the last 12 months. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer network or system data, but to stop insider threats, you need to track a combination of user and data activity. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT free, no installation required, at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:14:51] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's great to have you back. You know, it seems in the news recently, not long ago, we had a story about someone infecting some secret service computers perhaps with some thumb drives, with some USB sticks. This seems like the problem that just won't go away.
Justin Harvey: [00:15:12] It is definitely a growing concern amongst cyberdefense organizations globally. As we are seeing more virtualization on the desktop and more and more systems that are being cleaned and not reused after you log out, adversaries need a means to penetrate the enterprise, and one of the easiest ways is through USB sticks. And we have all heard of the - I guess I was going to say urban legend, but it's not an urban legend - of people finding USB sticks in the parking lot and plugging them in. I think that the best way to really work around that growing threat is to have strong endpoint controls. First is we are seeing more and more organizations put in policies on the endpoint where you can't plug in a USB stick if it's not encrypted. That serves a couple purposes. First is it would lessen the likelihood that an adversary would just have their malware sitting there on a USB - unencrypted USB drive. So if they try to plug it in, oh, it's not encrypted, so I can't plug it in.
Dave Bittner: [00:16:20] Now, when you say can't plug it in, do you mean that when you insert it in the machine, the machine won't mount it?
Justin Harvey: [00:16:25] Correct. It does a soft mount. It determines what sort of file system it is, and if it's not an encrypted file system that's approved or an encrypted file algorithm, it can sit there plugged into the system, but it won't actually mount it. Another way to combat this or at least to shorten the detection time is to also have really good endpoint monitoring, with that telemetry going into your SIM and creating use cases on it. So if there is an unencrypted USB mounting attempt by an endpoint, that should be flagged in the SIM. And in fact, you can actually start to track the vendors and-or the serial numbers of these USB drives. So if you see certain types of them going through the enterprise, you can actually create some interesting SIM monitoring use cases around that.
Dave Bittner: [00:17:17] You know, it seems to me like this is an area where you have to be careful to not slow people down. If they need to sling these files around, you know, you could run into a shadow IT situation.
Justin Harvey: [00:17:30] Yes. I guess that's always the counterbalance to putting in security which is affecting productivity. But I'd have to say, the lesser of two evils here is definitely putting a lockdown on your USB drives and, at minimum, at least only require encrypted drives. It's always Murphy's Law that the worst thing is going to happen. You have another team in, you have a consultancy, you have another organization that's within your company, they ask for certain files, you can't send them because they're too big. We all do it. We all resort to USB. But I got to tell you, the alternative of not having the USB encryption control is probably more damaging to an enterprise cyberdefense posture than forcing people to go down a possible route of shadow IT.
Dave Bittner: [00:18:20] Yeah. And I guess just having them available, having them plentiful, ones that have been approved, that have whatever encryption you're requiring there so that people don't have to go hunting around for them, that probably goes a long way towards helping, as well.
Justin Harvey: [00:18:33] Exactly. And in fact, one of the ways that we have been working through this within our team is we carry little USB drives that have keypads on them, so it doesn't really rely upon software encryption. It's actually hardware-based encryption. So you plug it in, you enter a six- or nine-digit code, and boom - now it's unencrypted and presents it to the operating system. Unplug it, and it's immediately encrypted. You could throw it across the room. Leave it in the airport, which is no problem for this type of hardware. It's - I highly recommend it.
Dave Bittner: [00:19:10] All right. Well, good advice. Justin Harvey, thanks for joining us.
Justin Harvey: [00:19:13] Thank you.
Dave Bittner: [00:19:18] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:30] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:19:59] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, our staff writer is Tim Nodar, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.