The CyberWire Daily Podcast 12.3.19
Ep 981 | 12.3.19

Secondary Infektion may be back, and interested in UK elections. Quantum Dragon. FaceApp risks. PyXie RAT in the wild. An Ethereum developer is charged with helping North Korea evade sanctions.

Transcript

Dave Bittner: [00:00:03] Someone believes, or would like others to believe, that Britain's National Health Service is for sale to the U.S. There's no word on whether the U.S. has offered the Brooklyn Bridge in exchange. The Quantum Dragon study summarizes Chinese efforts to obtain quantum research results from Western institutions. The FBI says FaceApp is a security threat. PyXie, a Python RAT, has been quietly active in the wild since 2018. And an Ethereum developer is accused of aiding Pyongyang. 

Dave Bittner: [00:00:36]  And now a word from our sponsor, KnowBe4. Endpoint security, firewalls, VPNs, authentication systems - we've all got them. But do they really provide the comprehensive level of security your organization needs to keep the bad guys out? Are they giving you a false sense of security? The unfortunate reality is that each of these security layers can provide hackers with a backdoor right into your organization, and KnowBe4 will show you how. They've got an exclusive webinar with Kevin Mitnick, the world's most famous hacker and KnowBe4's chief hacking officer. He'll show you the three most common causes of data breaches, he'll share demos of significant vulnerabilities in common technologies, and he'll share his top tips for security defenders. Go to knowbe4.com/vulnerabilities, and register for the webinar. That's knowbe4.com/vulnerabilities. And we thank KnowBe4 for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:01:58]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, December 3, 2019. A leak of purportedly secret documents outlining alleged topics of Anglo-American trade talks appears to be foreign disinformation, most likely of Russian origin. Reuters reports that researchers see similarities to the Secondary Infektion campaign the Atlantic Council unmasked in June. The incident has raised concerns that foreign attempts to interfere with upcoming British elections may already be in progress. The report in Reuters is ambiguous. On the one hand, it notes that the opposition Labour Party is citing the documents as representing genuine leaks that show the intention of the ruling Conservative Party to sell Britain's National Health Service to the United States. 

Dave Bittner: [00:02:47]  On the other hand, the idea that either the U.K. or the U.S. would actually be interested in such a transaction seems pretty far-fetched. Reuters says it's been unable to verify that the documents are genuine, and no comments were available from Her Majesty's government, the U.S. trade representative or, surprisingly, the Labour Party itself. Of course, we don't have any direct knowledge of the documents. But if you bet on form, as we like to do, we think it's probably a lot of hooey. Forgive our lapse into the technical jargon of analysts. 

Dave Bittner: [00:03:19]  The provenance of the documents is dubious, to say the least. They seem to have been first shared on Reddit by a user who seemed not to be a native speaker of English and that the poster's language and the websites and social media used to disseminate the documents all looked a great deal like Secondary Infektion. The researchers who've looked into the matter, including teams at the Atlantic Council's Digital Forensic Research Lab, Graphika and the universities of Oxford and Cardiff, think the whole affair looks fishy. Attribution in such matters is notoriously difficult, and Moscow isn't talking either. But Lisa-Maria Neudert, a researcher at Oxford University's Project on Computational Propaganda, observed to Reuters that if it's indeed a Russian operation, quote, "we know from the Russian playbook that often it is not for or against anything. It's about sowing confusion and destroying the field of political trust" - end quote. 

Dave Bittner: [00:04:15]  U.S. security startup Strider has released a report on how China has penetrated quantum research laboratories in the U.S., Switzerland, the U.K. and Germany to obtain results that have important military applications. Much of that penetration seems to have been obtained in traditional ways by forming partnerships with universities, recruiting Western scientists and placing students and faculty in research institutions of interest. Heidelberg University is said to have been particularly thoroughly prospected. 

Dave Bittner: [00:04:45]  As the year winds down and we head into 2020, the coming elections present a security challenge at multiple levels, local and national. Earl Matthews is chief strategy officer at Verodin, which is a FireEye company, and he shares these insights. 

Earl Matthews: [00:04:59]  At the state level, every state has a secretary of state, just like we do at the national level. And they're actually the ones who are responsible as the chief election officer and have responsibility for the election administration - you know, the testing and certifying that all the voting equipment for security, the accuracy, the reliability and accessibility to ensure that every vote is counted as cast belongs to the secretary of state and the election commission. But the states also have - reporting to the governor in a separate chain of command are chief information officers, which are appointed by the governor, and the chief information security officer. 

Earl Matthews: [00:05:40]  While these employees don't have a direct working relationship or reporting relationship with the secretary of state and the election commissions, I think that they should, especially with this growing importance of cybersecurity, have a tighter relationship among states. And that's primarily because I don't think we have been treating the election system as a business system. And that is really the fundamentally of the CIO and chief information security officers. 

Dave Bittner: [00:06:07]  What do you mean by treating it as a business system? 

Earl Matthews: [00:06:10]  Typically, what ends up happening with voting is we treat it as isolated events, and it's not a consistent event that happens every single day. And so as a result, we don't - tend not to put the same layers of defense in place for our election system as we would treat a business system that is being accessed every single day. 

Dave Bittner: [00:06:35]  What about this notion that rather than the actual, you know, physical altering of votes, the idea that people don't have a trust in the system, that that can be just as corrosive? 

Earl Matthews: [00:06:49]  Yeah, Dave, I - you know, I am becoming less and less concerned with the actual physical mechanism of voting because, as I mentioned earlier, I think the companies are doing a pretty good job on putting in, you know, access controls to those. What I actually am getting more concerned about is what I would consider left of the voting day, and that is the hacking of the voter database rolls, hacking at the DMV because that's connected to the election system. I'm worried about phishing. I'm worried about spoofing of websites on the day of the election, you know, kind of producing false information or misinformation, saying that a particular polling place is closed or there's an email, comes - that looks like it's coming from the election official giving out false information. That's really kind of what I'm starting to become more concerned about than the actual, you know, physical day of voting. 

Dave Bittner: [00:07:48]  You know, I've heard many people who work in the realm of election security say that they believe that the ultimate fallback here is that we need to be writing things down, that, you know, paper ballots and paper records are a backstop that we should have. What's your take on that? 

Earl Matthews: [00:08:08]  My take is that when you go in and you use a voting machine to vote, that not only is there an electronic record, but it also produces a paper ballot in which then the voter can sign. And then that, you know, can also be used then when we do the audits if there seems to be an irregularity. So I'm a fan of actually both. I think the electronic version - right? - speeds up the counting of the vote. If you only go to paper-only ballots - right? - which is the most secure way, however, you know, that even depends - that has some vulnerabilities - right? - because it has to be physically transported somewhere. It just takes longer to tabulate the vote. 

Dave Bittner: [00:08:51]  So ultimately, I mean, what are the take homes here? What are your recommendations? Both as security professionals and citizens, what should our attitude be towards securing our elections? 

Earl Matthews: [00:09:01]  So, one, I think for the election commission folks - right? - they really need to understand what the evolving threat landscape is on what are the techniques and how that vulnerability system could be upset - right? - during the whole process through the year. They need to deploy, like we do in IT business systems, a layered defense, which, you know, includes physical security, you know, system hardening, user authentication, encryption, audits and trails like that. They should take advantage of existing online resources on - about election security. DHS has election services - really good whitepapers on that - as does Cook County, as does the Belfer Center at Harvard University, as does this internet (ph) for internet security, just to name a few. 

Earl Matthews: [00:09:54]  They need to practice good cyber hygiene - still the No. 1 problem even for business systems, which means you have to have a culture around elections the same way that we have around our financial and medical information. I think that none of the elections should be connected to the internet, even if they're automated. I think election commissions need to use risk-limiting audits. If there's a wide variance, that means there is a percentage of records that have to be recounted. And then finally, as part of this overall ecosystem, we - it's not just the election system because it's tied into the voter database system, and it's tied into the DMV and tied into other systems. So that's why I recommend the involvement of the state chief information officer and the state chief information security officer. 

Dave Bittner: [00:10:42]  That's Earl Matthews from Verodin. 

Dave Bittner: [00:10:46]  Responding to senatorial questions, the U.S. FBI said the Russian-developed facial image editing application FaceApp represents a counterintelligence threat. The New York Times points out that FaceApp denies sharing data with anyone, including the Russian intelligence and security organs, and says that most images are deleted from its servers within 48 hours. But the FBI regards any app built in Russia as inherently problematic. Russian services have robust cyber exploitation capabilities with both the ability and authority to remotely access all communications and servers on Russian networks without making a request to ISPs. 

Dave Bittner: [00:11:26]  BlackBerry Cylance describes PyXie, a new Python remote access Trojan. This particular RAT delivers ransomware to targets in the education and health care sectors. It's been quietly active in the wild since 2018, the researchers say, and it hasn't attracted much attention. Its operators have been more successful than most at obfuscation and misdirection. 

Dave Bittner: [00:11:47]  A U.S. Ethereum developer was charged Friday with offenses related to helping North Korea evade sanctions. Virgil Griffith, whom the U.S. denied permission to travel to Pyongyang, nonetheless obtained travel documents from what U.S. federal prosecutors describe as a diplomatic mission facility in Manhattan, presumably a DPRK mission associated with the United Nations and then in April, used those documents to attend a conference in Pyongyang. What's objectionable about that? According to the U.S. prosecutors, here's the problem. The topic of Mr. Griffith's talk was how North Korea could use cryptocurrency to achieve independence from the global banking system. And that, in the considered view of the U.S. government, amounts to providing North Korea with technical knowledge Pyongyang would use to launder money and evade international sanctions. 

Dave Bittner: [00:12:39]  North Korea is under very tight international sanctions that have effectively crippled it financially and rendered the Kim regime a pariah state. Those sanctions are, for the most part, aimed at North Korea's nuclear and ballistic missile programs. Mr. Griffith, whom Fifth Domain describes as someone who established himself as a bit of a tech embarrassment back in the aughts, is charged with one count of conspiracy to violate the International Emergency Economic Powers Act. He's had brushes with the law before, but those were the sorts of things that aren't uncommon among those who buy into the hacker romance. 

Dave Bittner: [00:13:14]  While a student at the University of Alabama, for example, he and another student had described ways of hacking a campus debit card system to get free sodas, free use of laundry machines and access to the other impedimenta of undergraduate life. That time, he apologized, promised not to actually build the device he described and agreed to 40 hours of community service. The stakes, unfortunately, are higher this time around. The government has said that Mr. Griffith had at least one co-conspirator, so far unnamed, who will be brought to New York and arrested. 

Dave Bittner: [00:13:52]  And now a word from our sponsor, ExtraHop - delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show. 

Dave Bittner: [00:14:50]  And joining me once again is Ben Yelin. He's the program director for public policy and external affairs at the University of Maryland Center for Health and Homeland Security and also my co-host on the "Caveat" podcast. Ben, it's great to have you back. 

Ben Yelin: [00:15:02]  Good to be with you again. 

Dave Bittner: [00:15:04]  Interesting article - this is from CNET. There's a bipartisan bill that would require agencies who wanted to use facial recognition surveillance. Well, they would have to get a warrant. What's going on here? 

Ben Yelin: [00:15:18]  So this is a bipartisan bill in the United States Senate proposed by Senator Chris Coons of Delaware and Mike Lee of Utah - Coons, the Democrat. Lee is a Republican but sort of libertarian leaning. And what this bill would do is set the first federal standards for the use of facial recognition. It would apply to applications to surveil somebody for up to 72 hours using facial recognition software. 

Dave Bittner: [00:15:45]  So if you go beyond 72, that's where the warrant requirement kicks in? 

Ben Yelin: [00:15:48]  Would be required. 

Dave Bittner: [00:15:49]  Yeah, OK. Interesting. 

Ben Yelin: [00:15:50]  A warrant would not be required for identification purposes. So we use facial recognition software at the federal level to identify individuals, particularly as it relates to their immigration status. So I know this article mentions that ICE, Immigrations and Customs Enforcement, uses that technology for identification, and that would not be covered under this piece of legislation. So while, you know, I think this is a noble effort, it sort of falls short in the mind of civil liberties advocates in a number of ways. 

Ben Yelin: [00:16:24]  You know, first and foremost, this is kind of obvious. But when you're passing any sort of federal law dealing with law enforcement, it's a relatively limited universe because most law enforcement activity happens at the state level. So this bill wouldn't prevent, you know, state police or local police departments from using facial recognition software for monitoring without a warrant. And we already know that that's something that does happen in a lot of states. 

Dave Bittner: [00:16:52]  Now, would - so that being the case, is this a situation where, for example, a federal law enforcement organization could partner with their local friends at the state level and the state folks would be fine doing the surveillance? 

Ben Yelin: [00:17:07]  Yeah. Although, you know, if you had a statute, you could construct a statute in such a way that you could prohibit any federal agency from, you know, even partnering with a state organization... 

Dave Bittner: [00:17:18]  I see. 

Ben Yelin: [00:17:19]  ...Using this technology. 

Dave Bittner: [00:17:20]  OK. 

Ben Yelin: [00:17:21]  The other limiting factor, which this article mentions, is that the type of persistent facial recognition surveillance they talk about here isn't really something that the federal government does. To this point, the technology's just not quite ripe enough for the federal government to use. So it's sort of, I think - one of the advocates against this piece of legislation - not necessarily against it, but somebody who was observing this legislation was sort of like, what's the point? If we're not preventing facial recognition for identification purposes and we're, you know, requiring warrants for something the federal government is not yet doing, why even do this in the first place? You know, I think the answer to that is probably just laying the groundwork. We have this area of concern. I mean, facial recognition obviously poses major privacy and civil liberties concern. And this is sort of a first stab at trying to put some federal regulation behind it. 

Dave Bittner: [00:18:19]  So unlikely that this will have a lot of traction in its current form but maybe an initial volley to start the conversation. 

Ben Yelin: [00:18:28]  Exactly. Yeah, I don't see this piece of legislation going anywhere. I mean, nothing really goes anywhere in the United States Senate. 

Dave Bittner: [00:18:36]  (Laughter) It's your optimism I admire. 

Ben Yelin: [00:18:37]  It is, yeah. Absolutely. I would not bet my life on a piece of legislation passing the Senate. 

Dave Bittner: [00:18:42]  Right (laughter). 

Ben Yelin: [00:18:44]  But, yes, I believe this is sort of the first volley. You know, it's always - there's going to be some piece of maybe broader data privacy legislation in the future, and maybe this becomes one component of that, and that happens frequently. 

Dave Bittner: [00:18:55]  Yeah. 

Ben Yelin: [00:18:56]  You sort of get something on the record, you know, lay down a claim that you think a certain type of surveillance should be regulated, and that sort of seeps into, you know, the national political conversation. 

Dave Bittner: [00:19:08]  Gets people talking about it like... 

Ben Yelin: [00:19:09]  Absolutely. 

Dave Bittner: [00:19:10]  ...You and I. 

Ben Yelin: [00:19:10]  Yep. 

Dave Bittner: [00:19:11]  All right (laughter). 

Ben Yelin: [00:19:12]  We're part of the solution. 

Dave Bittner: [00:19:13]  There you go. All right. Well, Ben Yelin, thanks for joining us. 

Dave Bittner: [00:19:20]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:32]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.