The CyberWire Daily Podcast 10.1.19
Ep 939 | 10.1.19

Piling on sanctions. The disinformation-as-a-service black market. Technological sovereignty through R&D investment? Ransomware continues to rise. NSA’s new Cybersecurity Directorate.

Transcript

Dave Bittner: [00:00:03] The oligarch behind the St. Petersburg troll farm is sanctioned - again. Recorded Future looks at disinformation and finds there's a functioning private sector market for it. The European Union seems likely to pursue technological sovereignty, at least to the tune of some R&D investment. Ransomware attacks against U.S. state and local governments have been trending up, and that trend is likely to continue. And NSA has its new cybersecurity directorate. 

Dave Bittner: [00:00:36]  And now a word from our sponsor, ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights, like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met, at bugcrowd.com. 

Dave Bittner: [00:01:53]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 1, 2019. The oligarch behind the Internet Research Agency that worked its influence mischief from St. Petersburg has come under new sanctions imposed by the U.S. Treasury Department. Yevgeniy Prigozhin is variously described as a founder, financer or owner of the troll farm. And he's a wealthy guy, indeed. More on this later. 

Dave Bittner: [00:02:23]  We tend to think of disinformation as something states do. And indeed, the word comes from a Russian word, dezinformatsiya. It was defined in the old "Soviet Encyclopedia," but the practice didn't fall out of use when Soviet power went the way of the dodo at the end of the Cold War. The Russian security organs have long been world leaders in the practice. But there are also purely criminal use cases for disinformation, as a Recorded Future study concludes. Much of it takes the form of garish and dishonest advertising and apple polishing, and there's enough demand to sustain a disinformation-as-a-service market. Bulk social media campaigns are prominent offerings. The gangs offer services that range from what most of us would call shady PR tactics, like placing stories in both legitimate and dodgy online outlets through creating social media campaigns. Crafted to avoid triggering the content controls, networks have put in place to limit such activity. 

Dave Bittner: [00:03:22]  It would appear, from Recorded Future's experiment, that disinformation as a service is fast, affordable and arguably effective. The researchers created a fictitious company, which their report calls the Tyrell Corporation, and then contacted two competing disinformation specialists in the Russian-speaking underground to pull together competing campaigns, one pro and the other anti-Tyrell. The salesmen of the two groups, which Recorded Future calls Raskolnikov and Dr. Zhivago, were highly professional, patient and, apparently, easy to work with. They also offered clear pricing, and they delivered on their end of the deal. Of the two, Dr. Zhivago was the more experienced and sophisticated, but both delivered the content with novelistic flair. 

Dave Bittner: [00:04:07]  Odi et amo - I hate and I love, said the old-time European poet. And the more things change, the more they stay the same, as another old European saying has it. And internal EU policy document from the European Commission's Directorate-General for Communications Networks, Content and Technology has leaked and shows the EU as being of two minds with respect to foreign technology. It wants foreign technology - and for foreign here, read, Chinese and American - but it fears them, as well. The leaked document recommends an urgent initiative for technological sovereignty, Bloomberg reports. An EU spokesman emailed Bloomberg to say, simply, we don't comment on leaks. But the word on the street is that the 23-page document, itself a chapter in a larger briefing book, says, quote, "Europe's position and influence in global markets will be eroded, affecting European leadership and jeopardizing our technological sovereignty in key industrial strategic value chains," end quote. 

Dave Bittner: [00:05:07]  It's thought to represent the thinking of Ursula von der Leyen, who assumes the presidency of the European Commission next month. Technological sovereignty was a major plank of President-elect Von der Leyen's campaign, but she herself, of course, will not have the authority to mandate it by decree. That decree would have to come from the European Parliament. But the leaked proposal represents an influential line of thinking. Two companies particularly mentioned in dispatches are Apple and Huawei. And the prescription for making Europe great again is, for the most part, greater investment in R&D. 

Dave Bittner: [00:05:43]  Among the many observations on trends out today is one from Emsisoft. More than 600 government entities in the U.S. - mostly state and local organizations - have been hit with ransomware this year, and Emsisoft thinks it's going to get worse. Politico grouses that legislators are either out of ideas or indisposed to act, and a Help Net Security op-ed argues for collective defense as local governments' best option. 

Dave Bittner: [00:06:09]  Facebook can't seem to keep themselves out of the news these days, and most of the news about Facebook lately has, arguably, not been good for Facebook. But one of their initiatives to become a major player in online cryptocurrency has been flying a bit under the radar. Our own Carole Theriault has this report. 

Carole Theriault: [00:06:27]  Facebook, despite being hammered on privacy and ethical issues for the last year or more, seems to be forging ahead with new digital adventures without hardly a limp in its step. And one of these recent forays is Facebook's new cryptocurrency, called Libra or Libra. The idea is that Libra would launch in early 2020, and that Libra would dramatically improve the way in which people send and receive money online. Well, that is what Facebook say, at least. So I invited Simon Rodway from Entersekt to help us understand what Facebook is trying to do here and get him to look into the crystal ball and see what he thinks the impact will be on our financial lives. Simon, tell me, what do you think Facebook Libra is going to do? Is it going to rock the financial foundations as we know it? 

Simon Rodway: [00:07:17]  Well, it's a very interesting question to ask. Things are not always what they seem. And I think in this particular case, with Facebook specifically and with the Libra Project, it's sensible to look a little bit deeper than what is first perceived. All Libra is is an aspirational vision. The vision of Libra is really to develop a safe, secure and low-cost way for people to move money effectively. We've seen for such a long time that the remittance market is a very expensive market for, in effect, the poorer in our society - where people want to move money to send to their family, and they have to pay a hell of amount to do it. 

Simon Rodway: [00:08:07]  The reality is what Libra is trying to do, in the way that it's being presented, is to try and address that particular gap. And I think with that in mind, I can only applaud it at this point. Whether it's successful is a different matter. There are a lot of reasons why that might not be the case. Libra is just one driver in this particular space. There are others. We can look at... 

Carole Theriault: [00:08:32]  Right. 

Simon Rodway: [00:08:32]  ...The likes of the startup banks that we see who are also looking at cross-currency, cross-border payments and saying, OK, we can do that better. 

Carole Theriault: [00:08:44]  OK. So let's say I'm a target market for something like Facebook Libra. What are the things I want to ask before I dive in and start using it as a currency? 

Simon Rodway: [00:08:57]  They always go to the place of fear. This is change. This is something different. What should I be afraid of? And because it's got the Facebook stamp on it, obviously, in our minds, we can think of various events that have taken place in recent months and years where we think, do we really want to trust Facebook with all of this information? The reality is that we call this Facebook Libra. But it's not Facebook. Not directly, anyway. Facebook is one member in an association where the association will manage this network. Yes, Facebook were the conceiving body. They were the organization that put forward the developers that built out the Libra framework. So the fear that we have, which is, do I really want to trust my personal, identifiable information to an organization that has got a track record of not really looking after that well? 

Carole Theriault: [00:09:55]  A pretty justifiable fear, I would say. 

Simon Rodway: [00:09:58]  Yeah. Absolutely. Without a doubt. The question then I would ask is, what information are they capturing, what information is Facebook themselves capturing? They won't get access to the Libra network directly, in that it is a node-based network. So there are a number of different parties that will play. And then because it's based on blockchain, blockchain is an immutable structure. It can't be changed. It can't be tampered with. It can't be altered. Therefore, there's very little that Facebook themselves can actually do with that. 

Simon Rodway: [00:10:34]  Where Facebook will win and could win is when we talk about Calibra, the wallet solution that will be delivered by Facebook. In actual fact, it's going to be headed up by David Marcus, who will look to deliver a wallet solution for Libra, which people will then use. And typically, their argument there is the 2.3 billion Facebook users they have will use a Calibra wallet, which will allow them to exchange Libra coin over the Libra network. 

Carole Theriault: [00:11:08]  Right. And that is where there may be some security issues. That's where you're seeing - that's the area you're thinking, let's pay attention to that. And... 

Simon Rodway: [00:11:15]  The question, when needs to be asked. 

Carole Theriault: [00:11:17]  Well, Simon Rodway. (Laughter). You've educated me today (laughter). Thank you very much for coming on the show and making the time to speak with us. This was Carole Theriault for the CyberWire. 

Dave Bittner: [00:11:28]  NSA has launched its new Cybersecurity Directorate today. Its first director, Anne Neuberger, is quoted in The Washington Post as saying, the mission of the organization is to prevent and eradicate threats. Our focus is going to be on operationalizing intelligence. So welcome to the world, Cybersecurity Directorate, and may you get off to a good start. 

Dave Bittner: [00:11:50]  We return for a moment to the case of the sanctioned oligarch. As we mentioned earlier, he's been sanctioned before. What's left to sanction, one might wonder? Same question came up with recent new sanctions imposed on North Korea's Lazarus Group. At some point, aren't you just chasing your tail? Not necessarily. And if you look at the details of the sanctions, you can see the point. Yevgeniy Prigozhin has indeed been sanctioned before, but this time his yachts and private jets are specifically named. He may find it difficult to ride them into non-Russian ports of call, Fifth Domain notes, no place to buy diesel, no landing rights and so on. 

Dave Bittner: [00:12:29]  Thinking of dropping anchor and calling the harbor master at Barcelona or Port Adriano? Perhaps it's no longer such a good idea. Or maybe you're in the Black Sea, say, dropping hook at Novorossiysk. Like, it's not St. Tropez, but there's a wine tour open to the public, and maybe you could visit the monument to the sailors' wives, enjoy some oysters, things like that. Or maybe you're up in the White Sea, where you could take a peek at the Belomorsk museum of local lore. That's tough to beat. The point of this is not to make fun of Russian local attractions - and we Americans have no call to throw stones through our own glass house of roadside attractions, like the world's largest ball of string or Ripley's Believe it or Not. 

Dave Bittner: [00:13:11]  The point is that owners of mega-yachts and private jets want to strut their stuff on a fashionable stage. Consider this. If you're bombing around the U.S. Eastern Seaboard in your nicely loaded Gulfstream, you want to be able to touch down at JFK and disport yourself on Park Avenue. Or maybe even land at Palm Beach International and then chill at Mar-a-Lago. You don't want to be confined to landing at Teterboro and hoping they've got some soft-shell crabs at Tracy's Nine-Mile House on the Hackensack River. But Mr. Prigozhin is now confined to the Eurasian equivalent of just that. We're fans of Teterboro and South Hackensack. But trust us. Nice as they can be, they're not places you go to be seen on the red carpet. Maybe you think that's punishment enough. But think further. Yachts and jets are standing temptations, specifically to pride, envy and avarice. They can gnaw at you. Suppose the itch gets so great that you decide you've just got to sail your yacht into a nice place, maybe like the misleadingly named Mosquito Creek Marina on the Esplanade in North Vancouver. Step ashore incautiously and - blammo - extradition, here we come. And that is why the feds aren't just chasing their tails. 

Dave Bittner: [00:14:31]  And now a word from our sponsor, Edwards Performance Solutions. It's commonly accepted that cybersecurity is a business risk, not an IT problem. What may not be as commonly accepted is that cybersecurity needs to be an integral part of every business strategy and that cybersecurity can actually be an asset to your business. Achieving this outcome is a journey. The journey starts with an understanding of what information is important to the business, what business processes generate, use, store or transmit that information, and what are the rules and regulations impacting the information? The next part of the journey is understanding the risks to the business and those information assets, followed closely by establishing a governance structure to manage those business risks. This includes managing the risk to your supply chain. The journey is not an easy one and is fraught with roadblocks and obstacles. You may need a guide. Edwards Performance Solutions is ready to be your guide in this journey. Please visit their website, edwps.com, to learn more. That's edwps.com. And we thank Edwards Performance Solutions for sponsoring our show. 

Dave Bittner: [00:15:51]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [00:15:59]  Dave, it's always great to be here. 

Dave Bittner: [00:16:01]  I had something brought to our attention. This is thanks to the SwiftOnSecurity Twitter feed. 

Joe Carrigan: [00:16:07]  Which is a great Twitter account. 

Dave Bittner: [00:16:08]  Quite popular, quite popular. 

Joe Carrigan: [00:16:10]  I follow it. 

Dave Bittner: [00:16:10]  And they pointed out that Microsoft has made some changes when it comes to trusting the encryption on SSD drives. 

Joe Carrigan: [00:16:19]  Right. 

Dave Bittner: [00:16:20]  Unpack this for us. 

Joe Carrigan: [00:16:21]  So when you have BitLocker, when you enact it and the drive's reported that it could encrypt the data itself, previously, it looks like Microsoft would trust the drive. 

Dave Bittner: [00:16:33]  Right. 

Joe Carrigan: [00:16:33]  It'd say, OK, we'll let you handle the encryption. 

Dave Bittner: [00:16:35]  So the hard drive itself had the capability built in... 

Joe Carrigan: [00:16:38]  Right. 

Dave Bittner: [00:16:39]  ...To encrypt the data on the hard drive. 

Joe Carrigan: [00:16:40]  Right. Well, Microsoft has found that's not always the case, that a lot of times, there's quality issues with that. There's an article in here that SwiftOnSecurity links to that points to Samsung devices. 

Dave Bittner: [00:16:52]  Right. They had issues with firmware and, I think, hard-coded passwords. 

Joe Carrigan: [00:16:57]  Right. Yeah. It was hard-coded keys, I think... 

Dave Bittner: [00:17:00]  OK. Yep. 

Joe Carrigan: [00:17:00]  ...Was what the issue was. 

Dave Bittner: [00:17:01]  Yep. 

Joe Carrigan: [00:17:02]  What's happening here is now Microsoft is saying, all right, manufacturers, we just don't trust you anymore, and we want to keep our users safe. So we are going to use CPU-based encryption to encrypt the data on the hard drive. 

Dave Bittner: [00:17:15]  Hmm. 

Joe Carrigan: [00:17:16]  It's a shame that Microsoft has to do this, but I think that Microsoft has to do this. 

Dave Bittner: [00:17:21]  (Laughter). 

Joe Carrigan: [00:17:21]  Right? 

Dave Bittner: [00:17:23]  (Laughter) Right, right. 

Joe Carrigan: [00:17:24]  It should be the case, rather, that Microsoft doesn't have to do this and that these drives actually properly encrypt the data so that when the data is stolen by physically stealing a laptop, which happens frequently... 

Dave Bittner: [00:17:35]  Yeah. 

Joe Carrigan: [00:17:36]  ...Right? That that data is protected while it's at rest. 

Dave Bittner: [00:17:38]  Right. Somebody can't take the hard drive out... 

Joe Carrigan: [00:17:41]  Right. 

Dave Bittner: [00:17:41]  ...Hose it up to another machine and... 

Joe Carrigan: [00:17:43]  And say... 

Dave Bittner: [00:17:43]  ...Suck the data off of it. 

Joe Carrigan: [00:17:44]  Yeah. Pull the data off of it. 

Dave Bittner: [00:17:45]  Yep. I suppose part of this is the CPUs themselves have gotten to the point where this isn't any sort of big impediment for them to be able to do a high level of encryption... 

Joe Carrigan: [00:17:58]  No. 

Dave Bittner: [00:17:58]  ...On the fly. It's not really going to slow things down anymore. 

Joe Carrigan: [00:18:01]  Right. And once there's - once they start using a symmetric encryption algorithm, that's pretty fast. It's not a slow algorithm. 

Dave Bittner: [00:18:07]  So really, they're just - they're taking this out of the hands of the hard drive manufacturers... 

Joe Carrigan: [00:18:12]  Right. 

Dave Bittner: [00:18:13]  ...Saying, OK, we're not sure we can trust them, but you can trust us. 

Joe Carrigan: [00:18:16]  Correct. I mean, we know - Microsoft is saying, we know we can trust us. 

Dave Bittner: [00:18:20]  Right. Right. Should we trust them? 

Joe Carrigan: [00:18:22]  I think we can. I think Microsoft's doing a lot better job in security than it did, say, 15 years ago. I think they've really woken up and smelled the coffee. I think they did that a long time ago, I say. 

Dave Bittner: [00:18:32]  Yeah. 

Joe Carrigan: [00:18:32]  I should say. You know, it would be better to have this encryption at the hardware level, right? To have - and it would be faster and better all around. But if you can't be certain of the vendor's implementation of it, this is Microsoft doing what any good company would do. 

Dave Bittner: [00:18:48]  Hmm. 

Joe Carrigan: [00:18:49]  Microsoft, you've got to remember, they don't have the advantage that Apple has. They don't control any of the hardware... 

Dave Bittner: [00:18:54]  Right. 

Joe Carrigan: [00:18:55]  ...On the computers that run their operating system. 

Dave Bittner: [00:18:57]  Mm-hmm. 

Joe Carrigan: [00:18:58]  So they have to do this. Apple can say, that hard drive's not going into our computer. But Microsoft cannot say that. 

Dave Bittner: [00:19:05]  Yeah. That's an interesting point because Apple has - I believe they call it the T2 chip which comes on some of their newer systems that - and one of its jobs is to take care of on-the-fly encryption. 

Joe Carrigan: [00:19:17]  Right. Is it a trusted platform module? 

Dave Bittner: [00:19:19]  I believe so. 

Joe Carrigan: [00:19:20]  OK. 

Dave Bittner: [00:19:20]  So like you say - but Apple knows they have the hardware and the software. Microsoft has to be able to run anywhere. 

Joe Carrigan: [00:19:26]  That's correct. 

Dave Bittner: [00:19:27]  Yeah. 

Joe Carrigan: [00:19:28]  Yeah. It's a big difference. 

Dave Bittner: [00:19:29]  All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:19:31]  My pleasure, Dave. 

Dave Bittner: [00:19:36]  And that's the CyberWire. 

Dave Bittner: [00:19:38]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:49]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.