Dave Bittner: [00:00:03] Facebook takes down more coordinated inauthenticity from Iran and Russia and announces a new transparency policy about news sources. The former NSA director schools an ICS security audience on the Westphalian system. Three VPNs and one antivirus provider sustained breaches that may be contained but that may also derive from exploitation of phantom accounts. Microsoft gets more EU scrutiny. And Mr. Assange gets another day in court.
Dave Bittner: [00:00:37] And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud threats fall on customers to resolve, and prevention-based security wasn't designed for the modern attack service. That's why Gartner predicts that 60% of enterprise security budgets will go towards detection and response in 2020. ExtraHop Reveal(x) Cloud is the only SaaS-based network detection and response solution for AWS with complete visibility, real-time threat detection and automated response powered by cloud-scale machine learning. Request your 30-day free trial of Reveal(x) Cloud at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:32] Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:55] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 22, 2019.
Dave Bittner: [00:02:03] Facebook announced yesterday that it's removed four distinct networks of accounts, pages and groups from Facebook and Instagram for engaging in coordinated inauthenticity. Three of the networks originated in Iran, the fourth in Russia. Two of the Iranian networks advanced a pro-Iranian, anti-Israeli and anti-U.S. line. Their audience was principally in the U.S. and the Francophone regions of the Middle East and North Africa. The third promoted similar content to a Latin American audience. The Russian network pursued Moscow's now familiar strategy of deepening existing fissures in American civil society.
Dave Bittner: [00:02:42] The policing of coordinated inauthenticity that Facebook and some other platforms are pursuing seems to many a promising approach. It serves clarity and transparency without necessarily engaging the platforms in direct moderation or control of content. Facebook also said it will begin labeling content from state-controlled media not to censor them, but to hold them to a higher standard of transparency, the Telegraph reports. Thus we can expect Facebook to flag news from RT, to take an example often given, as emanating from a media service controlled by the Russian government.
Dave Bittner: [00:03:21] We continue to cover SecurityWeek's 2019 ICS Cyber Security Conference. Now in its second day, the conference this morning featured a fireside chat with retired Admiral Mike Rogers, formerly director, U.S. National Security Agency and commander, U.S. Cyber Command. He reviewed the strategic motives of the opposition in cyberspace. Singling out North Korea, Russia and China, he noted that these adversaries have different motives. North Korea seeks to circumvent the international sanctions that continue to strangle its economy. Russia's goal is basically disruption, with Moscow strongly interested in eroding trust in Western and especially in U.S. institutions. China works in the service of its economic development. And its characteristic activity is intellectual property theft. What they have in common, however, is an understanding of cyber as embodying new military and espionage capabilities. And they use those capabilities in the service of their strategic objectives.
Dave Bittner: [00:04:21] So Admiral Rogers made a case for approaching cybersecurity, in the context of national security, as a risk management problem. And, he argued, sound risk management should begin with an appreciation of the opponent's strategic goals. When we work through that risk calculus, he emphasized that we inevitably work with constrained financial and human resources. We can't, he said, buy or human capital our way out of the problem. Instead, we need to take risk-based decisions and to make sure that those decisions are informed by a sound understanding of the opposition's strategy.
Dave Bittner: [00:04:57] We have to prioritize what we defend. As he put it, if someone takes down an unclassified website, who cares really? But if they get into a nuclear command and control system, that's a very serious matter indeed. Just passively responding will place us on the wrong side of the cost equation, Admiral Rogers argued. In any conflict, quote, "I want to engage in actions that shape my adversary's choices. I want to drive him to make choices that benefit me," end quote. This is as true in cyberspace as it is in any other domain. He thinks that the future is about building integrated, multidisciplinary teams. As he put it, you can't improvise teams in a crisis. They must be formed in advance and exercised appropriately. If you do this, then you have a proper basis for cooperation. And in a crisis, you're so much smarter and faster.
Dave Bittner: [00:05:47] A lesson he said he learned from Russian cyber operations in 2016 was the importance of communicating at high levels. He said, quote, "we thought that informing the normal working level in the private sector was sufficient. If we were to do it over, we should have taken it to CEOs, CISOs and not the lower levels," end quote. And of course, effective cooperations for security requires effective information sharing. Admiral Rogers said, the pain of the one has to lead to the benefit of the many. If it doesn't, then the pain of the one is forgotten and is repeated over and over and over again.
Dave Bittner: [00:06:23] Discussion of nation-state activity against industrial control systems inevitably raises questions about where responsibility for an appropriate response lies. Admiral Rogers pointed out that a response always starts with a question - are you confident you know who did this? This isn't easy to determine. False flags are becoming more common, especially since one of the Russians' takeaways from their experience in 2016 running information operations against the U.S. is that they need to cover their tracks.
Dave Bittner: [00:06:54] For this reason, and for others, he takes the view that hacking back, as it's popularly called, is a non-starter. Quote, "I'm a believer in the Westphalian model, in which the application of force is fundamentally a governmental responsibility," end quote. Drawing upon an example he used in his days at NSA and Cyber Command, he said that if you're the sheriff trying to keep order in a town, the last thing you want is more people walking down the street carrying guns. There is a spectrum of purely defensive actions that private companies can take. But there are, he said, massive liability questions surrounding any of the active measures people talk about.
Dave Bittner: [00:07:31] And he closed with an observation about kinetic versus cyber responses. The response to a cyberattack need not itself be a cyber reprisal. Whenever there is a cyberattack, that attack has a physical dimension to it. There is a server, for example, at a specific latitude and longitude. There's a human being at a keyboard. How to respond should be governed in all cases by the traditional laws of war. And how to respond should above all be determined by considerations of proportionality. We'll have more notes from from SecurityWeek’s ICS Security Conference over the course of the week.
Dave Bittner: [00:08:07] One of the most commonly heard bits of security advice these days is to enable multi-factor authentication. It's solid advice, and research shows that doing so greatly reduces the odds of falling victim to any number of compromises. Ori Eisen is CEO at Trusona. He maintains that multi-factor is great, sure. But why not rethink the whole username and password thing altogether?
Ori Eisen: [00:08:32] So the 2FA wave kind of started about 20 years ago. And when we say the word 2FA or two-factor authentication, what we are really saying is that there's always the first factor, which is username and password - something that you know - and we need to augment it with a second factor. In fact, that was the point where we should have realized something is wrong with using passwords because we need to strengthen them. And over time for that second factor, we invented a multitude of things as an industry. We had those tokens that changed numbers. And we had the KBAs, knowledge-based authentication, like what's your mother's maiden name. But over time, people realized that I can just send you a text message to your phone with a OTP, a one-time passcode. And that became very prevalent 2FA way to authenticate. Unfortunately today, it's being foiled time and again. And it is no longer serving its purpose.
Dave Bittner: [00:09:27] And what are the primary ways that it's being foiled?
Ori Eisen: [00:09:29] If I call the telephone company that serves your phone, and I pass the authentication challenge of your identity - and it's pretty easy to do - I can simply tell them that I got a new phone and I want to port my SIM to this new phone. And then if I try to log into the bank, they send me as the attacker your one-time passcode, not you. And the victim is not even aware that this is going on.
Dave Bittner: [00:09:54] Well, let's delve into that some. I think passwords have been around so long and we use it in so many ways that it's hard to imagine any other way. But you're saying there are alternatives.
Ori Eisen: [00:10:07] And I see that it's becoming more and more prevalent, which is really good, so people would see what it looks like. But imagine you go to your bank. And in addition to username, password and log-in, you have a new one called a password-less log-in. And all it does is once you click on it, it takes you to a page with a QR code that is changing every 30 seconds, so it's not a sitting duck. And in the app, the mobile app of your bank, you have a button that allows you to open a scanner, and you simply point at the QR code. That's it. You don't have to remember anything. You don't have to type anything. It's super-secure because it changes every time. And even if a crook was listening to this session and copying it, there's no way for them to re-transmit it and gain access. So it's maximum convenience for the user - they don't have to do anything - and super-security on the other end. And this technology already exists.
Dave Bittner: [00:11:01] So, I mean, with something like this, is it possible to then jettison username and password altogether?
Ori Eisen: [00:11:07] That is correct. And I know it's hard to believe. And some people say that can't be. But at our company and many of our clients, they simply do not use username and password. For a new employee that joins, all they do is get a phone. They enter the email off their, you know, their corporate email. They register that phone to that. And from that moment on, that is what they use. That is their key or authenticator. But they have never said from the get-go username and password.
Dave Bittner: [00:11:36] Are there any downsides to this approach? Is there any extra complications or roadblocks or speed bumps?
Ori Eisen: [00:11:44] The only complication is that you need to have your phone with you, and most people do. And for that reason, some security practitioners may leave username and password open for a little while until people get used to it. But that's the only complication. You need to have this key because you don't want to remember passwords in your head.
Dave Bittner: [00:12:04] What happens if I lose my device?
Ori Eisen: [00:12:06] So if you lose your device, two things happen. First of all, no one can get in there because it's protected by biometrics. So there is no fear of a rogue getting into your account. In addition, your CSO can just turn off that device. So no one can get access with it. And once you get your new phone, you simply re-register, re-prove your identity. The simplest method is just by corporate email. Another level above it is to show your driver's license to the app. And that's it, you're in.
Dave Bittner: [00:12:35] Do you see us moving towards a day when people just stop thinking about usernames and passwords, that it's become a thing from the past?
Ori Eisen: [00:12:43] I think that in the next three to five years, if you do not offer username and password to your employees and your customers, you will start to look like a has-been. It will be very similar to me using a fax today to send you my resume, David. But I can tell you that the future is already here, it's just not well distributed. But yes, over time, using passwords to open a new account will just look ridiculous.
Dave Bittner: [00:13:11] That's Ori Eisen from Trusona.
Dave Bittner: [00:13:15] NordVPN, TorGuard and VikingVPN are said by Ars Technica and others to have experienced breaches that leaked encryption keys. NordVPN and TorGuard have issued statements intended to reassure users that their security has not been seriously compromised. Avast has suffered more issues with CCleaner product. The breach, which Avast says is now fixed, appears connected to exploitation by foreign intelligence services. ZDNet says Czech intelligence services identified the culprit as China. Krebs on Security points to a common factor in the NordVPN and Avast breaches - forgotten user accounts.
Dave Bittner: [00:13:55] The European Data Protection Supervisor has released an update on its ongoing investigation of Microsoft's contracts with various European institutions. That investigation remains incomplete, but the EDPS says that it has serious concerns over the adequacy of contractual provisions designed to ensure compliance with data protection rules.
Dave Bittner: [00:14:17] And finally, Julian Assange is back in the news. The WikiLeaks proprietor, having worn out his welcome and with it his asylum in Ecuador's London Embassy, is presently serving time in a British jail. Both Sweden and the U.S. have expressed their interest in giving him a day in court. Mr. Assange is more concerned about the U.S. charges he faces and is fighting extradition across the Atlantic. He says the U.S. indictment is politically motivated and that his alleged crimes amount to political offenses. Besides, it's also unfair. The U.S. is notoriously well-resourced, and he is a David without a slingshot against a Goliath with a horde of lawyers and even psychologists behind him. Mr. Assange faces seventeen counts under the Espionage Act and an eighteenth count of conspiracy to hack a military computer. When asked by the British judge if he understood the charges against him, Mr. Assange, according to The Washington Post, mumbled, "not really." It's hard not to sympathize with the notion of him being a David, one supposes, but the Post article seems to do a pretty good job of explaining the charges.
Dave Bittner: [00:15:29] And now a word from our sponsor, Dragos. Cyberattacks on oil and gas environments are continuing to progress in frequency and sophistication. Attackers are creating tailored attacks to cause significant operational and financial impacts. And most importantly, they're becoming aware they can overcome automated safeguards to cause physical effects and harm the lives of those who work in the facilities. Read the latest case study from Dragos to learn how they helped an oil and gas organization ensure it had detections and response plans against TRISIS-like activity on its networks and comprehensively defend its environment. You can find it at dragos.com/case-studies. That's dragos.com/case-studies. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:16:27] And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute and also the host of the ISC Stormcast podcast. Johannes, it's always great to have you back. You have been tracking some targeted phishing that's going after the financial industry. What do you have to share with us today?
Johannes Ullrich: [00:16:44] Yeah. One thing that's always sort of not clear to users about phishing is that most of the phishing attempts at sea are pretty easy to recognize and just delete the email, but that there are hidden among all of these phishing emails that you receive, some that are different and that you may actually fall for. In this particular case, the phishing was directed at a company that actually offers loans. So they're used to - for example, for home loans - to receive documents from title agencies and such. And in this phishing email, the phishing attack actually tried to claim to be one of these title agencies. And now, of course, the recipient is used to receive links to download sites, is used to receive attachments like PDFs So they actually use this email to then trick the victim to click on a link that would then steal their credentials for their cloud-based email service.
Dave Bittner: [00:17:49] Yeah. And do you have any tips for how to avoid this sort of thing? I mean, you know, this is something that's part of what they have to do to stay in business every day.
Johannes Ullrich: [00:17:58] And exactly. That's sort of what the attacker is going after here. Now, I think the defense here is really, you know, how do you prevent the credentials from actually being used? That's really what this is about. What typically happens sort of as a follow-up to these attacks is that the attacker would use these email credentials then to log in to this employee's email account and then typically would see some business email compromised as a follow-up. So that's how they actually make money. So what you really need to protect is that login to these cloud-based mail services. And, you know, the number one thing you can probably do here is some form of two-factor authentication.
Dave Bittner: [00:18:38] So even if they get through and the phishing attempt is correct, the two-factor will then thwart their attempt to control that email account.
Johannes Ullrich: [00:18:46] Yes, that's the hope here. Now, there have been some tricks how attackers have taken advantage of two-factor and still were able to actually compromise the account. But those are much more - much less common. So two-factor is probably the simplest, if you want to call it simple, thing that you can do to protect yourself against this. Yes, you know, user education helps. I think another thing that you should do is in your awareness education, don't just use these fairly-easy-to-recognize emails. But, you know, show people, hey, last week, we did receive one of these emails.
Johannes Ullrich: [00:19:23] And that's actually, I think, one of the things that I'm missing a lot, in particular sort of from the financial industry and such, that a lot of these attempts aren't shared. Now, in this case, they didn't fall for it. Nobody clicked on it. No damage was done. They did the job, right. Why not share with others, hey, we received at this particular email? LoanDepot, the company that shared this with us, they are very open about this. And I think that helps others then to protect themselves because now I can show my users this is an attack that even a competitor or not our company and our - did receive. So be ready for it. They're not just using these simple emails full of typos that aren't really, you know, of any interest to you.
Dave Bittner: [00:20:09] So almost a herd immunity, that the more information we can share, the safer we'll all be.
Johannes Ullrich: [00:20:15] Yup, information sharing. That's really, you know, what helps us really a lot. And we have to really share better than the bad guys because they apparently are sharing a lot of their tricks.
Dave Bittner: [00:20:23] Right. Right. All right. Johannes Ullrich, thanks for joining us.
Johannes Ullrich: [00:20:27] Thank you.
Dave Bittner: [00:20:33] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:46] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.