The CyberWire Daily Podcast 7.19.19
Ep 888 | 7.19.19

Following K3chang. Bulgaria’s tax agency breach. An alternative currency gets some incipient regulatory scrutiny. Why towns are hit with ransomware. A hair-care hack.

Transcript

Dave Bittner: [00:00:03] K3chang is out, about and more evasive than ever. Data breached at Bulgaria’s National Revenue Agency has turned up online in at least one hacker forum. Facebook’s planned Libra cryptocurrency received close scrutiny and a tepid reception on Capitol Hill this week. Emsisoft offers some common-sense reflections on why local governments are attractive ransomware targets. Please patch BlueKeep. And my interview with Richard Clarke, co-author of the new book "The Fifth Domain." 

Dave Bittner: [00:00:39]  It's time to take a moment to tell you about our sponsor Recorded Future. You've probably heard of Recorded Future, the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:01:40]  Funding for this CyberWire podcast is made possible in part by ExtraHop, providing cyber analytics for the hybrid enterprise. Learn more about how ExtraHop Reveal(x) enables network threat detection and response at extrahop.com. 

Dave Bittner: [00:01:55]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 19, 2019. ESET reports on recent activity of K3chang, an elusive threat group engaged in cyber espionage. Most of K3chang's recent targets have been in Slovakia, Belgium, Chile, Guatemala and Brazil. ESET studiously avoids attributing K3chang, but they do observe that, since its discovery by FireEye in 2013, K3chang has been associated with China. The recent campaigns show improved backdoors and greater evasiveness. In MITRE's threat group taxonomy, K3chang is also known as APT15 and sometimes as Vixen Panda or Playful Dragon. 

Dave Bittner: [00:02:43]  Hacked Bulgarian tax information has begun turning up in various discreditable hacker online neighborhoods. ZDNet says that the person who posted it, a gentleman going by the name Instakilla, obtained it from a download link carelessly displayed by a Bulgarian television news report. Instakilla crowdsourced a solution to the password and has now made the data available. He's not worried about doing so. He's a Bulgarian citizen, but since he's not the original hacker, Mr. Killa doesn't feel accountable for anything. So he’s got that going for him - maybe. 

Dave Bittner: [00:03:19]  But the alleged original hacker has now been identified. Computing magazine, citing Bulgarian sources, identifies the suspect as Kristiyan Boykov, age 20. Mr. Boykov had been employed by TAD Security, apparently in a cybersecurity training role. This is consistent with early reports that said the perpetrator was a white-hat pentester gone bad. Bulgarian social media are atwitter with talk that some of his students were members of the police cyber squad that collared him. So good job, Teach, although it’s always better to get an apple on your desk than a set of steel bracelets. 

Dave Bittner: [00:03:57]  In 2017, Mr. Boykov had exposed and disclosed security issues affecting the country’s Ministry of Education, which publicly praised him for his efforts. The present episode is therefore a sad comedown. The police say that the tax agency hack wasn’t even particularly artful. This seems to be figuring in Mr. Boykov’s defense. His attorney suggests that Mr. Boykov was too skillful and resourceful to have pulled off what looks like the work of a skid. Skid or not, the data were compromised. 

Dave Bittner: [00:04:28]  The way the case has proceeded is interesting. Mr. Boykov would originally have faced up to five years in prison upon conviction, but a letter from Bulgaria’s National Revenue Agency explained to the justice system that the data they lost wasn’t really critical infrastructure, and so now a conviction seems likely to bring just a fine. The National Revenue Agency isn’t really making what the lawyers call an admission against interest here. The agency is itself liable to fines over a data breach, perhaps as high as $22 million. 

Dave Bittner: [00:05:01]  Facebook's plans for Libra received close Congressional scrutiny this week. The concerns are familiar, but the regulatory way forward is, as WIRED points out, unclear. Should Libra be regulated like a bank, an investment, a contract? And how might necessary regulation preserve the decentralization that makes alt-coins so interesting in the first place? The Group of Seven’s central bankers are also cool to the notion, at least in its pure, buccaneering and unregulated libertarian form. 

Dave Bittner: [00:05:34]  Emsisoft reflects on the recent wave of ransomware hitting U.S. local governments. The firm suggests that counties and towns are vulnerable because of outdated systems and big attack surfaces. Over a third of local governments rely on technology that’s at least a generation behind the current state-of-the-art. And the towns and counties offer so many different public web services that they’re inevitably exposed to attack. 

Dave Bittner: [00:05:59]  SC Magazine and others continue to report that hundreds of thousands of devices remain unpatched against BlueKeep. Do give some thought to patching; if not for yourself think of what you're doing to herd immunity. 

Dave Bittner: [00:06:13]  And finally, as we all learned in elementary school, fire is a good servant but a bad master. So here's another thing to worry about that wouldn't have occurred to us before - hair straighteners can be hacked. Now, for those of you in the security community who aren't necessarily fashion-forward or especially grooming-conscious, we'll explain what a hair straightener is. A hair straightener is a device that uses heat to texture hair. Since there is at least a marketing, if not always a clearly functional, reason to render all sorts of devices smart, this has now been done to some models of hair straightener. But assuming you wanted a hair straightener in the first place, why would you want a smart one? Well, so it could communicate with stuff to maximize your attractiveness, obviously. 

Dave Bittner: [00:06:59]  In this case, Naked Security has an article describing one high-end product, the Glamoriser Bluetooth Smart Straightener, which communicates with an associated Android Glamoriser app. The problem is that the smart system is easily hackable, as a researcher at Pen Test Partners has demonstrated. You could, if you so wished, remotely override the Glamoriser's temperature setting from a toasty but arguably bearable 248 degrees Fahrenheit to a super-Bradburian Fahrenheit 455. That's hot enough to melt iodine, selenium or tin and plenty hot enough to set your house afire. Sure, the hacker would have to be in Bluetooth range, but how hard is that? 

Dave Bittner: [00:07:42]  Anyway, dumb-smart is perhaps worse than old-fashioned dumb. Think twice before styling your hair with what amounts to a soldering iron. Besides, trust us - your hair looks fantastic as it is. 

Dave Bittner: [00:08:00]  And now a word from our sponsor, KnowBe4, the experts in new-school approaches to defeating social engineering. You ever wonder how hackers and con artists know so much about their targets? Basically, there's more information out there on everyone than you'd like to believe. There's even a name for it - open source intelligence, OSINT. Kevin Mitnick, KnowBe4's chief hacking officer, can show you what the bad guys can find out about you. Go to knowbe4.com/osint and register for a free webinar with people who know a thing or two about mind-blowing underground OSINT secrets that you need to know. That's knowbe4.com/osint. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:08:55]  And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute, and he's also the host of the "ISC StormCast" podcast. Johannes, it's always great to have you back. You know, scanning your network for vulnerabilities is an important part of your regular cyber hygiene. But you wanted to talk today about some issues that could come up when you do that. 

Johannes Ullrich: [00:09:17]  Yes, when you're running these vulnerability scans, one thing a lot of people are sort of concerned of is, like, unintentional denial of service attacks and such. But there's another problem that actually one of our Storm Center handlers, Xavier, ran into recently, and that's the use of credentials in these vulnerability scans. Now, a very simple vulnerability scan would basically just scan your network, check what service are exposed and report on that. But that's usually not all that useful. 

Johannes Ullrich: [00:09:48]  So what you do is you actually provide your vulnerability scanning system with credentials. It can log into a systems and then find out more detail of what the system may be vulnerable to. The tricky part here is that, in order to do this, the credentials being used by the vulnerability scanning systems often have some elevated privileges, and an attacker can actually take advantage of these credentials and use them, then, to attack your system if they're able to intercept a connection that is established by the vulnerability scanning system. 

Dave Bittner: [00:10:28]  So these credentials are typically being sent in the clear? 

Johannes Ullrich: [00:10:31]  Well, it depends. If they're being sent in the clear, of course, then it's really easy. 

Dave Bittner: [00:10:35]  Right. 

Johannes Ullrich: [00:10:36]  But in one particular case, if you're connecting to SMB file shares. So you have a Windows network. You're using SMB to connect to remote systems. In this case, you can launch what's known as an NTLM relay attack, where the attacker essentially is getting in the middle, between the vulnerability scanning system and the target system, and it's sort of playing them off against each other in order to gain access to the system without actually having to break any hashes or actually know any credentials that are being involved. 

Dave Bittner: [00:11:12]  And so what's the solution here? What's the best practice to avoid this? 

Johannes Ullrich: [00:11:16]  Well, first of all, I would not use any protocols that send credentials in cleartext. So cleartext protocols should be avoided anyway. You probably don't even need to then log in using your vulnerability management system. Now, as far as SMB is concerned, it's a little bit more tricky because it's almost sort of a feature of some SMB versions. So your real solution here is to prevent that NTLM relay attack. You should do that by using SMB version 3 and by enabling SMB signing. That of course is only possible if you're using the latest versions of Windows. 

Dave Bittner: [00:11:58]  Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: [00:12:00]  Thank you. 

Dave Bittner: [00:12:05]  Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good, as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids. But to keep the savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operation center. CylanceOPTICS deploys algorithms formed by machine learning to offer, not only immediate protection, but security that's quick enough to keep up with the threat by watching, learning and acting on systems behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show. 

Dave Bittner: [00:13:12]  My guest today is Richard A. Clarke, former national coordinator for security, infrastructure protection and counterterrorism for the United States. Under President George W. Bush, he was appointed special adviser to the president on cybersecurity. He's currently chairman of Good Harbor Consulting. He's the author or co-author of several books, the latest of which is titled "The Fifth Domain: Defending Our Country, Our Companies, And Ourselves In The Age Of Cyber Threats." The book is coauthored with Robert Knake.

Richard A. Clarke: [00:13:43]  So the military talks about things as domains - land, sea, air. And over the years, they added space as the fourth domain. Now, in the last few years, the military have talked about a fifth domain - cyberspace - where they expect cyberwar to take place. So we're calling this the fifth domain because - not just because the book is about cyberwar - because it's also about other things that take place every day in cyberspace, including what happens to you as an individual, what happens to corporations. It's not just about cyberwar. 

Dave Bittner: [00:14:24]  You know, one of the points you make in the book - you say that the next major war will be provoked by a cyberattack. What leads you to that conclusion? 

Richard A. Clarke: [00:14:33]  Well, the director of national intelligence, this year, publicly testified that the Russian government has hacked into the controls of our power grid and that the Chinese government - Chinese military - the People's Liberation Army - is capable of controlling or affecting our controls for our natural gas pipelines. That - we suggest, in the book, that creates a situation of crisis instability, where if there is tension among nations, people are going to look around for, well, what - how can we do signaling? Or how can we do an initial attack that's not going to end up in killing people? And the answer is going to be cyber. 

Richard A. Clarke: [00:15:17]  We actually had proof of that a few weeks ago when the Iranians shot down a drone, and the United States wanted to retaliate. The normal retaliation package was given to the president, and he initially approved it. And it was the traditional way of retaliating with cruise missiles and bombers. But after a while, when they thought about it in the White House, they said, no, we don't want to go that far. Let's just start with a cyberattack because it seems easier, less bloody, less lethal. 

Richard A. Clarke: [00:15:50]  But the problem with cyberattacks is they do destroy things, and they provoke retaliation. And when you get into a cycle of tit-for-tat retaliation, ultimately that ends up in kinetic or conventional war. The Pentagon's policy, publicly articulated policy, is that if the United States gets hit by a cyberattack from another nation-state, and if that attack is sufficiently destructive, that we reserve the right to respond with a kinetic attack. So we've said publicly cyberattacks on us will not just be responded to with cyberattacks on you. 

Dave Bittner: [00:16:30]  When it comes to testing traditional kinetic weapons, you know, there's - they're unambiguous. If I do a test of a nuclear weapon, that capability is clear for everyone to see. But it's different in cyber. And we hear that nation-states are hesitant to demonstrate these resources for fear of burning those resources - that revealing them will make them less effective. 

Richard A. Clarke: [00:16:57]  And that's why deterrence doctrine from the nuclear era doesn't port well over to the cyber era. Deterrence doctrine - MAD - mutually assured destruction - depended upon people knowing that both side had weapons that would work, knowing that those weapons could definitely get through, knowing that those weapons could do a specific amount of damage. And that's not the case in cyber. 

Richard A. Clarke: [00:17:25]  Also, in deterrence doctrine from the nuclear, attribution was not an issue. Attribution can be an issue with cyberattacks because we now know that the Russians and the Chinese and apparently the Americans use each other's cyberweapons to obscure who's doing the attacks. And apparently, we've all stolen each other's weapons. But certainly nothing like that ever happened in the nuclear era. We never had the Russians running around with a U.S. missile submarine or vice versa. 

Richard A. Clarke: [00:17:57]  So you're right, we're reluctant to use a cyberweapon because once you've used it, other people can figure out how it works and can build defenses against it. And therefore, we don't want to use a weapon unless we absolutely have to. We can't demonstrate it. And frankly, when we pull the trigger, we can't really be confident we know how well it will work or what the defenses are like that it'll have to overcome. So cyber is a different kettle of fish than every other kind of combat, every other kind of war. 

Dave Bittner: [00:18:30]  Yeah, there's an interesting point you make in the book. And you say that, traditionally, military strategists were looking for certainty and that certainty was aligned with security. But on - in the cyber domain, uncertainty may be something that deters military action. Can explain that difference to us? 

Richard A. Clarke: [00:18:53]  Well, no military commander wants to attack unless he knows there's a pretty good chance he's going to win. And in the case of cyber, you really don't know, when you launch an attack, what defenses you're going to come up against. Do they already know this attack technique? Will they allow you in and then shut you down? And the fact that we cannot be sure how effective our offensive weapons will be at any given time means that anybody advising a president or a commander should tell them, hey, Boss, we don't know that this is going to do the job. That changes things. 

Dave Bittner: [00:19:32]  Does that run counter to how military leaders are accustomed to thinking? 

Richard A. Clarke: [00:19:37]  It's entirely counter to what they're used to thinking. They have, in the past, always been able to exercise, simulate, have high probabilities of success, know what the outcome will be. In the cyberwar, they're not that sure. 

Dave Bittner: [00:19:56]  When President Trump took office, there was some optimism that cybersecurity was going to be a focus. You know, one of his first executive orders was centered on cybersecurity. How has that played out? 

Richard A. Clarke: [00:20:09]  Not well. He initially had a very good guy running cybersecurity policy from the White House - the old job I had. And that was Rob Joyce from NSA, a very respected, nonpartisan guy - expert. And John Bolton, when he came in as national security adviser, got rid of him and didn't replace him with anybody. So the old sort of cyber czar job doesn't exist. There's no one really making policy or implementing policy across the board out of the White House. 

Richard A. Clarke: [00:20:43]  The same thing happened in the State Department where Rex Tillerson came in and wondered why there were people working on international cyber norms and got rid of that office. They did, I will admit - the Trump administration did write a really good national security policy, national security strategy for cyber. I say it's really good because it looks a lot like the one I wrote for Bush. 

Dave Bittner: [00:21:10]  (Laughter). 

Richard A. Clarke: [00:21:10]  But they haven't implemented it. 

Dave Bittner: [00:21:13]  Personally, I find it helpful in my own mind to use public health as a metaphor for cybersecurity. And if you look at the past hundred years of the progress we've made where - we made tremendous strides in public health. And it's not perfect. You can wash your hands and, you know, do the basics. And still, every now and then, you're going to get a cold. Do you find that that's a useful comparison? 

Richard A. Clarke: [00:21:40]  No. 

Dave Bittner: [00:21:40]  (Laughter). 

Richard A. Clarke: [00:21:45]  I'm sorry. 

Dave Bittner: [00:21:45]  That's fair enough. 

Dave Bittner: [00:21:46]  (Laughter). 

Richard A. Clarke: [00:21:46]  No. 

Dave Bittner: [00:21:46]  Go on. (Laughter). 

Richard A. Clarke: [00:21:46]  Well, you know, I know people are always struggling to explain cybersecurity in terms of something else that people already understand. 

Dave Bittner: [00:21:52]  Right. 

Richard A. Clarke: [00:21:53]  And, you know, one of the things that you hear a lot from people is, well, if you'd just have good cyber hygiene, then you wouldn't get hacked. And I don't know what the hell that means. I don't think anybody really knows what that means. It's not a matter of good cyber hygiene. It's a matter of spending money. The companies that are spending 3 and 4% of their IT budget get hacked. The companies that are spending 8 to 10% of their IT budget on cybersecurity do not get hacked. That's nothing about hygiene. It's about money. 

Dave Bittner: [00:22:26]  So what's the take-home for the reader - the average person who's going about their life, their day to day here in the U.S. and elsewhere? What's the message you want to send home with them? 

Richard A. Clarke: [00:22:36]  Well, cybersecurity affects everybody and everything we do, from whether or not it's safe to go to a hospital and being strapped up to a IV drip machine or a heart-lung machine. It affects who gets elected, how the election processes work. It could, if it - we had a bad day, bring down an airline or bring down the power grid. And it can certainly mess your own personal life up in terms of credit card theft and other records theft. 

Richard A. Clarke: [00:23:10]  So we have a chapter in the book about what this means to the individual and how - what are the things an individual can do to increase their own cybersecurity? So individuals should do those many things that can improve their own security, but then they should be involved in the public debate to urge corporations they deal with and governments they deal with to remove the threats because we know how to do it. 

Dave Bittner: [00:23:39]  Well, the book is "The Fifth Domain: Defending Our Country, Our Companies, And Ourselves In The Age Of Cyber Threats." Richard Clarke, thanks so much for joining us.

Richard A. Clarke: [00:23:47]  Great to be with you. 

Dave Bittner: [00:23:48]  And we'll be publishing an extended version of my interview with Richard Clarke this Sunday. 

Dave Bittner: [00:23:58]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com 

Dave Bittner: [00:24:10]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.