Dave Bittner: [00:00:03] APT10 has been phishing U.S. utilities. Google wins a big round over the EU's right to be forgotten. European courts are also considering binding contractual clauses and Privacy Shield, which together have facilitated trans-Atlantic data transfer. Twenty-seven nations agree on responsible state behavior in cyberspace; a hawkish take on Huawei's 5G ambitions, and Edward Snowden's book is being used as phish bait - not, we hasten to say, by Mr. Snowden.
Dave Bittner: [00:00:39] And now a word from our sponsor, LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes one on top of the other hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Learn more at lookingglasscyber.com/contactus. That's lookingglasscyber.com/contactus. And we thank LookingGlass Cyber for sponsoring our show. Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Dave Bittner: [00:02:15] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, September 24, 2019. Proofpoint has released a report concluding that APT10 associated with China's government was responsible for a series of phishing attacks conducted against at least 17 entities in the U.S. utilities sector between April 5 and August 29 of this year. The malware used called LookBack, which was discovered in the wild in July, was embedded in malicious Microsoft Word files attached to emails. The APT impersonated the engineering research and intelligence institution, and its emails represented themselves as invitations to complete the Global Energy Certification exam. The activity appears to involve reconnaissance and battlespace preparation.
Dave Bittner: [00:03:06] The European Union's Court of Justice has found that Google is not liable for enforcing the EU's right to be forgotten worldwide. The poignantly named right to be forgotten guarantees European citizens the right to have information about them removed from the internet and particularly from that portion of the internet indexed by search engines, which, of course, makes the rule particularly important to Google. The court ruled that the EU could not require Google and others to remove data from the worldwide web as a whole and that its writ didn't run outside its member nations. So it would seem that European regulations will, at least in this respect, fall short of becoming a de facto global regime. The ruling was certainly welcome to Google, but it will take a bit of time before companies and others fully work out its implications.
Dave Bittner: [00:03:58] The Wall Street Journal thinks other decisions expected soon will introduce more uncertainty into trans-Atlantic data transfers. There's a challenge to the EU's Privacy Shield rules that may make it more difficult to move information between Europe and North America. Privacy Shield, the 2016 successor to Safe Harbor, had governed such transfers along with standard contractual clauses. Both Privacy Shield and the contractual clauses are being challenged on the grounds that they don't sufficiently protect European data from American misuse. A decision on the binding contractual clauses is expected in December with one on Privacy Shield to follow shortly thereafter. If you do trans-Atlantic business, prepare to lawyer up.
Dave Bittner: [00:04:44] Lately, it seems that distributors of ransomware have been targeting cities and municipalities. For a variety of reasons, they've been irresistible targets for these particular crooks. Fleming Shi is chief technology officer at Barracuda Networks. He offers these insights.
Fleming Shi: [00:05:01] A lot of the ransomware attacks in the past are going after consumers. But we're seeing upticking attacks on cities where potentially cities can pay more, but, you know, also subsidies are starting to have insurance coverage. I - that's one of the biggest fear I have is once we have insurance coverages, you can have larger payouts. The bad guys kind of just go after that kind of situation where then obviously they get more pay. You know, we're feeding the attackers in that way, right?
Dave Bittner: [00:05:34] And what makes these city governments, and small towns and so forth, what makes them a particularly attractive target?
Fleming Shi: [00:05:41] Basically, a lot of the attacks are going after services that could affect, you know, basically basic services - right? - including law enforcement, which can be disrupted. I think that the level of impact to everyday life is higher, especially when they hit home in the cities and also information related to citizens are gold to the bad guys, right? You can identify relationships between people if you get that information.
Fleming Shi: [00:06:15] You can identify social engineering end goals to further mount additional personal attacks or more targeted attacks against people using their information to do more damage to - you know, by opening accounts and doing things like that. So I think the information within city halls used to be walled off with a lot of protection, physical protection, now, you know, can be easily exposed digitally, which becomes a fuel for the bad guys to do more to everyone.
Dave Bittner: [00:06:51] So what are your recommendations for cities to go about protecting themselves? What sort of things should they put in place?
Fleming Shi: [00:06:58] The No. 1 thing is figure out how not to pay the ransom. If the business is not there for the bad guys, they will retreat. The only way you can protect yourself really from a situation like this is making sure all your perimeters and all your attack surfaces are covered. Email, obviously, is one of the highest attack vectors by the bad guys. At the same time, make sure you have backup, right? And also ensure the backup is being tested, so the restoration of your back - your data is sufficiently fast enough so you can restore services if you need to. Also train the city clerks and do, you know, phishing training and also ensuring the email that's coming, the attachments are clean.
Fleming Shi: [00:07:44] So there are a multitude of things you can do - by having a good backup that's well-tested, also well-trained staff who touches citizens' data, you know, and also ensuring that all the applications that's actually accessible by the citizens are protected by some type of web application, firewalling capability so you can defend against SQL injection, cross-site scripting, all those very standard things because applications in the private sectors are very useful, especially web applications. And now they're becoming more useful in the public sector as well. So you can do lots of things online, right? I think it's a added convenience but also exposes a greater surface for potential attacks.
Dave Bittner: [00:08:31] That's Fleming Shi from Barracuda Networks.
Dave Bittner: [00:08:35] As the United Nations General Assembly's annual summit meets, some 27 countries, including all the Five Eyes, have issued a brief joint statement on advancing responsible state behavior in cyberspace. It calls for bringing cyberspace into the framework of international law. In particular, this would by implication mean applying the principles of proportionality and discrimination that inform the Law of Armed Conflict, rendering critical civilian infrastructure off limits while permitting legitimate intelligence collection and, during periods of conflict, attacks against military targets. Thus a missile command-and-control network would be a legitimate wartime target, but a city's water utilities would not. CNN and others see the statement as directed implicitly against Russia and China. The statement condemns attempts to undermine democracies, and they're looking at you, Moscow, and undercut fair competition, which would be you, Beijing. The statement doesn't name those two governments explicitly, but you don't have to be Henry Kissinger to figure this one out.
Dave Bittner: [00:09:42] The concerns on display in the statement have been addressed at length elsewhere. For example, this morning, we attended a press conference convened by Global Cyber Policy Watch, a project of Cambridge Global Advisors. Three experts spoke - Tom Ridge, former U.S. secretary of Homeland Security and 43rd governor of Pennsylvania; Nate Snyder, senior counterterrorism official with the Department of Homeland Security and the countering violent extremism task force under U.S. President Obama; and Chris Cummiskey, former undersecretary for management at the U.S. Department of Homeland Security and current senior fellow and adjunct faculty member at Virginia Tech's Hume Center for national security and technology. The topic was 5G technology and what's at stake with it in terms of security. And in the context of 5G, discussions of security seem inevitably to be discussions of Huawei.
Dave Bittner: [00:10:36] The three speakers gave a thoroughly hawkish assessment of the risks of allowing the Chinese telecommunication and IT giant to achieve a dominant position in the coming 5G infrastructure. Governor Ridge characterized Huawei as, quote, "basically an extension of the Chinese government," "an instrumentality of the state" and, in sum, "a massive, massive security risk" - end quote. He pointed to the large ownership stake, almost 99%, held by Chinese trade unions, which are organized under and whose leaders are appointed by the Chinese government, as evidence of the company's position in China. The company's attempt to secure a dominant position for itself in 5G infrastructure is, the panel said, a long game being played patiently. It competes on price and time to market, both of which the three speakers said it's able to offer because of heavy government subsidies.
Dave Bittner: [00:11:30] 5G will be so pervasive in economic life, Secretary Cummiskey said, that as a globally distributed platform, it's important to avoid its domination by any one entity. Yet such domination is what Beijing aims at, the panelists said. Mr. Snyder pointed out in particular that interoperability is essential to the sort of openness one wants in 5G or any comparable infrastructure. But Huawei, he said, wants no interoperability whatsoever, which would give it a de facto vertical monopoly.
Dave Bittner: [00:12:02] In response to questions about evidence for Huawei's enjoyment of substantial government subsidies and for specific intelligence tying Huawei to repression of Hong Kong dissidents and China's own Muslim minorities, the panel pointed for the most part to circumstantial evidence and a priori possibility. Snyder said, quote, "there may not be a smoking gun, but it's not a hard dot to connect" - end quote. We asked them how they would advise the U.S. government to engage China over this matter. Governor Ridge spoke for the panel by recommending that the administration listen to and take the advice of the intelligence community and U.S. Cyber Command. He also thought that this was an excellent time for consultation and coordinated efforts by the Five Eyes.
Dave Bittner: [00:12:46] And finally, Edward Snowden's new book, "Permanent Record," is being used as phishbait, Bloomberg reports. Criminals unconnected with Mr. Snowden are emailing a PDF that purports to be the book and asks the recipient to open and share the PDF. The email says the book has been banned, which isn't true in any case, so refuse the chain letter. The PDF holds malware. Read the book if you're interested, but turn down the PDF. There's no such thing as a free lunch.
Dave Bittner: [00:13:20] And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response with a hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. That's one reason enterprises value the SOC Visibility Triad, Gartner's framework that helps teams like yours scale security and business operations safely and cost effectively. When you combine network detection and response with endpoint protection and SIM, you have the visibility, threat detection and automated response capabilities you need to secure and support cloud growth. Learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we think ExtraHop for sponsoring our show.
Dave Bittner: [00:14:19] And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute, and he's also the host of the ISC "StormCast" podcast. Johannes, it's always great to have you back. Interesting stuff you wanted to cover today, some stuff going on with sandboxing web browsers and some local host web servers. What are we talking about here today?
Johannes Ullrich: [00:14:41] Yeah. What this is really all about is that we see more and more web servers pop up on desktops that are typically not associated with running a web server. But the reason this is happening is to make it easier to integrate various software with web applications. In your web browser, it's not easy for the web browser to start a application on a laptop or on a desktop. So what these companies are doing - they're setting up a little web server, then you can send a normal HTTP request to this web server just like to any other website. And that web server will now start software, collect system information, anything that the web browser, for pretty good reasons, isn't allowed to do. And a couple of companies will have gotten into a trouble about this recently.
Dave Bittner: [00:15:35] Yeah. I think the one that's attracted a lot of attention was Zoom, the popular conferencing service. They caught some heat for this.
Johannes Ullrich: [00:15:43] Yes, exactly. For them, it was usability. That's what it came down to. One of their differentiators is to be the more usable - the easier to use videoconferencing system. If you click on a link and you go to the website and then it would like to start the Zoom application on your system. Typically in your browser, there will be a little dialog box warning you that the website is now going to start this application. And they didn't like that. So in order to avoid that dialog box that the user has to click on, they actually installed a web server on the user's system.
Johannes Ullrich: [00:16:22] Now, what of course hit them a little bit versus (ph) than just the web server itself was that when you uninstalled the application, well, it left the web server behind, definitely didn't get uninstalled and also because, well, they didn't really secure that web server correctly, it could be used to then launch any application. Another example is also - so some of the software you often get from manufacturers like Dell and such that then helps them offer support via web-based tools. So now the web-based tool can reach out to their application that's installed on your laptop, desktop that then provides them, you know, debugging, diagnostic information about your hardware.
Dave Bittner: [00:17:08] Now, is there any easy way to go through systems to audit them to see if these rogue web servers are running?
Johannes Ullrich: [00:17:16] Now, you should definitely take a look at your system, see if anything is listening on a network port. And the tricky part here is they will only typically listen if they're somewhat configured correctly on the loopback interface. So you will not be able to reach them, for example, with a port scanner or something like this. But, yeah, just take a look at what's listening on your system. You're probably surprised, even if you don't have anything bad listening on your system, there's always something there that you probably don't recognize and it's probably good to follow up on that and figure out what it does. And if in doubt, just use a tool like netcat or so, connect to the port, send a little HTTP request, see what you get back. It's not always HTTP, but HTTP is particularly dangerous because that could then be triggered by a malicious website that you visit in your browser.
Dave Bittner: [00:18:04] All right. Johannes Ullrich, thanks for joining us.
Johannes Ullrich: [00:18:06] Yeah. Thanks.
Dave Bittner: [00:18:12] And that's the CyberWire.
Dave Bittner: [00:18:13] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:18:25] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.