Phishing for credentials. Compromised Telegram accounts. Lateral movement. Crypto Wars updates. Data retention compliance. Iago did it for the lulz.

Dave Bittner: [00:00:00] Hey, everybody. Dave here with some exciting news. We are pleased to announce our news subscription program, CyberWire Pro. It's launching early in 2020 for cybersecurity professionals and others who want to stay abreast of our rapidly evolving industry. CyberWire Pro is a premium news service that will save you time as it keeps you informed. You can learn more and sign up to get launch updates at thecyberwire.com/pro. That's thecyberwire.com/pro. Do check it out. Thanks. 

Dave Bittner: [00:00:34]  Parties unknown are phishing for government credentials in at least eight countries. Some other parties unknown are compromising Telegram accounts in Russia. Lateral movement is in the news, but not the good, Lamar Jackson kind. A familiar order of battle in the Crypto Wars emerges again. NSA's IG report on SIGINT data retention. And a peek into what we suppose we must call the minds of some of the people hacking Ring systems. 

Dave Bittner: [00:01:06]  And now a word from our sponsor, the upcoming Cybersecurity Conference for Executives. The Johns Hopkins University Information Security Institute and Ankura will host this event on Wednesday, March 25 in Baltimore, Md., on the Johns Hopkins Homewood campus. You can find out more at isi.jhu.edu and click on 6th Annual Cybersecurity Conference for Executives. Learn about the dos and don'ts of risk management with industry leaders and other cyber professionals. Check out the details at isi.jhu.edu. Click on the 6th Annual Cybersecurity Conference for Executives. And we thank the Johns Hopkins University Information Security Institute for sponsoring our show. 

Dave Bittner: [00:01:54]  Funding for this CyberWire podcast is made possible in part by McAfee - security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:02:16]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, December 13, 2019. Researchers at Anomali describe a phishing campaign apparently intended to harvest credentials from some 22 government agencies and government contractors in several countries around the world. U.S. targets have received the most attention, but Australia, China, Japan, Mexico, Peru, Poland and Sweden were also prospected. The U.S. targets include the Departments of Commerce, Energy and Veteran Affairs. 

Dave Bittner: [00:02:48]  No one, ZDNet says, has any idea who's behind the operation or what their ultimate objective might be, but there's some speculation that the goal might be industrial espionage or some related form of criminal activity. The phishing emails directed victims to a site where they were asked to enter their credentials. About 120 bogus sites were deployed over the course of the campaign. 

Dave Bittner: [00:03:10]  Forbes reports that Group-IB is investigating compromises of Telegram accounts belonging to a number of Russian entrepreneurs. Attribution in this case is also mysterious, but Group-IB doesn't think the incidents involve any flaw in the messaging app. The researchers do note that Telegram credentials are being widely traded in the dark web. 

Dave Bittner: [00:03:30]  In the course of its investigation of exploits leaked by The Shadow Brokers, Zscaler has found a botnet it's calling BuleHero that excels at lateral movement within its targets. The more lateral movement an attack technique is capable of, the more dangerous it is to the networks it infests. 

Dave Bittner: [00:03:48]  Techdirt reports that Representative Ro Khanna, a Democrat of California representing the California 17th district, which includes much of Silicon Valley, sent a pro-encryption letter to Senator Graham, Republican of South Carolina, who's running the Judiciary Committee's hearing on encryption. Representative Khanna's position is pro-encryption, as is the position of most of the tech companies. 

Dave Bittner: [00:04:12]  He also attached a letter from Pentagon CIO Dana Deasy that stressed the importance and value of strong end-to-end encryption. Deasy's letter to Representative Khanna said, in part, quote, "The importance of strong encryption and VPNs for our mobile workforce is imperative." He closed with this sentence. The department believes maintaining a domestic climate for state-of-the-art security and encryption is critical to the protection of our national security. This seems to have been the pattern in the Crypto Wars, at least in the U.S. The Defense Department has been notably more pro-encryption than the Department of Justice. The Intelligence Community has been quieter but generally hasn't shown much disposition to jump on the anti-encryption bandwagon. To some extent, this almost certainly reflects agencies' disposition to approve of the things that make their jobs easier. Encryption makes the DOD's job easier, but it makes justice's job harder. 

Dave Bittner: [00:05:05]  In the U.S., NSA's inspector general has found deficiencies in the agency's data retention procedures. Some signals intelligence data have been retained beyond limits established by law and policy. The IG looked at two representative data stores and found that the agency had retained a small percentage of the large number of SIGINT data objects beyond legal and policy retention limits. As the IG pointed out in the report's conclusion, the deficiencies the investigation found could have an effect on privacy and civil liberties. 

Dave Bittner: [00:05:37]  The conclusion isn't that there's a major scandal or a great deal of nefarious collection underway, but rather that NSA has some work to do on compliance, and compliance in this matter is important since it touches safeguards of civil liberties. The IG made 11 recommendations to improve NSA compliance procedures. The agency accepted the findings and is working to bring its procedures into compliance. The IG's report can also serve as a cautionary tale. Anyone who thinks compliance is easy should ask NSA, which is a well-resourced and professional agency. 

Dave Bittner: [00:06:11]  And finally, did you know? Have you heard? There are creeps abroad in cyberspace. We've been seeing accounts of people whose Ring cameras, which they've installed for the home security system is designed to provide, have been hacked into by various alleged human beings who then use the system to wake people in the middle of the night, telling people, I can see you in bed, frighten and swear at small children, try to teach small children racist epithets and so on. These seem oddly pointless actions, yet someone's doing it. 

Dave Bittner: [00:06:43]  We're sorry to say that at least some of those someones are, well, podcasters. Many of the most repellent hacks were featured on the NulledCast podcast livestreamed on Discord, Vice reports. Vice's account offers an interesting inside look at the geniuses behind NulledCast. Apparently, it was funny, a joke - you know, like what you might see on "Jackass" or "Impractical Jokers." Once the hacks began to gain media attention - most disapprovingly, so bravo, media, on this one - the podcasters struck a new high-minded and socially responsible tone, writing, Nulled does not and will not tolerate the harassments of individuals over Ring cameras or similar. So the grammar's off, but the sentiment is surely one your high school civics teacher would approve of. 

Dave Bittner: [00:07:28]  There is also some evidence that the performance artists of the Ring caper are hearing footsteps of law enforcement. Vice found the following message on the NulledCast Discord server - hey NulledCast fans, we need to calm down on the Ring trolling. We have three investigations, and two of us are already probably effed. Drop suggestions on what else we should do. It will still happen, just on a smaller scale. Thanks, the NulledCast. 

Dave Bittner: [00:07:54]  That's not exactly a ringing call to straighten up and fly right, but at least they have the wit to realize that being effed is a bad thing. But if they are really effed, it couldn't happen to an effing better bunch of effers. So why did they do it? Hope for the glory of being an influencer and remoter but more glittering hopes of influence-pumped wealth? Maybe. But it still seems like motiveless malice. Motiveless malice is, alas, common enough in cyberspace, but it's also not new. After all, Iago did it for the lulz. 

Dave Bittner: [00:08:32]  It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We here at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you, too. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show. 

Dave Bittner: [00:09:34]  And I'm pleased to be joined once again by Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, it's always great to have you back. We wanted to touch today about some research that you all are working on when it comes to IoT and specifically, some cybersecurity testbeds. What do you have to share with us? 

Daniel Prince: [00:09:52]  Well, at Lancaster, one of the key things that we do is build things. It's one of the core parts of our research. Yes, we do the theoretical stuff, but we also like to do a lot of the applied research, really testing what it's like in a real environment. But as part of that, we build a lot of testbeds. And one of the testbeds we've been working on for nearly a decade now is our industrial control systems research testbed. And that's slowly - over the last couple of years, that's starting to develop into an Internet of Things testbed where we can really tackle some of the more interesting cybersecurity problems. 

Daniel Prince: [00:10:26]  But one of the challenges that we're finding, one of the things I wanted to talk about, is when you move from ICS to IoT, you're moving to this completely different physical process. So within industrial control systems, actually, it's quite straightforward to create something that emulates the water treatment work or electricity grid - notwithstanding those are quite complex, but it's a defined and scoped process. 

Daniel Prince: [00:10:51]  But the problem with a lot of IoT-type work is the process you're trying to emulate and simulate is that of people, that of a group of people working in a building. If you're thinking about industrial IoT, yes, again, that's related to industrial processes. But a lot of the IoT technology that sits around that also interacts with humans in a slightly different way than just your pure industrial control system. So one of the challenges we're trying to tackle here at Lancaster is how do we build an IoT testbed that enables us to have high accuracy around the human aspect of interaction with that - those systems. 

Dave Bittner: [00:11:28]  Is it a matter of that there's a much greater degree of complexity? 

Daniel Prince: [00:11:34]  Well, yeah. So when you think about - say you're trying to simulate an IoT SMI environment for a building. So you take the building that I work in, InfoLab, you know, there's 60 academics, the academics that work in there, about 40 support staff. Then you've got a whole number of businesses. So you've got about 20 businesses that work in that building. They've got four or five staff as well. So you're talking several hundred people going in and out of that space. And then you've got a cafe in there as well. So it's a great place to work, but you've got lots of people going through. 

Daniel Prince: [00:12:04]  Now, if we wanted to simulate or practice in that SMI environment, yes, we can scope it down. But how do we scale it up? You know, how do we simulate the behavior or emulate the behavior or capture the real-world behavior of 200, 300 people on a day-to-day basis? Sitting around that is all the privacy and ethics concerns. And this is one of the big challenges that we're facing as we're starting to develop our IoT research, is that the actual physical process that we need to test is that of human beings interacting in a social environment. 

Dave Bittner: [00:12:37]  And I suppose the range of potential devices that can be brought in and made part of an IoT network is much broader than what you would have to deal with ICS. 

Daniel Prince: [00:12:48]  Yeah. And one of the key things there as well is the range of devices are also the attack vectors. And you're never quite certain actually what the attacker might be trying to do. We've heard all sorts of stories about attackers breaking into organizations, fire temperature sentences in fish tanks, for example. And they all hang off similar or interconnected networks. And the key part of the attack for IoT is really that human elements in a - probably, and I would suggest, in a way that's not much different to the ICS testbeds that we're used to. Because of that, it's really important that we understand the way that the individuals interact with the IoT environment much more than perhaps we do with ICS testbeds. 

Dave Bittner: [00:13:32]  All right. Well, it's interesting research to be sure. Daniel Prince, thanks for joining us. 

Dave Bittner: [00:13:41]  And now a word from our sponsor OpenVPN. OpenVPN Access Server is a flexible VPN solution that secures data communications from remote access to IoT to networking cloud data centers. While private networks have the security advantage of isolating critical IT services, it can be costly to extend to different sites, devices and users. Enter OpenVPN Access Server, a full-featured and cost-effective VPN solution. Access Server has an economical licensing model based on the number of concurrent VPN connections rather than the number of users. OpenVPN Access Server can be deployed on premises or on the cloud and allows load balancing, failover and fine-grained access controls, making it the best solution for small to medium-sized enterprises. You can test drive OpenVPN Access Server for free. It comes with two VPN connections. Get started today at openvpn.net/cyberwire. And we thank OpenVPN for sponsoring our show. 

Dave Bittner: [00:14:53]  My guest today is David Belson. He's senior director of internet research and analysis at the Internet Society, a group that has its origins in the Internet Engineering Task Force. Their stated mission is to support and promote the development of the internet as a global technical infrastructure, a resource to enrich people's lives and a force for good in society. My conversation with David Belson focuses on Russia's sovereign internet law and how efforts like it may ultimately affect a free and open global internet. 

David Belson: [00:15:26]  So, I mean, right now, obviously the law, the sovereign internet law, is focused on Russia and the Russian internet in terms of tightening control over it with respect to DNS, with respect to filtering and deep packet inspection and so on. The way it impacts the rest of the global internet, I guess is a couple fold. One is that it may make it more challenging for users outside of Russia to access resources that are hosted within the country. So if you are an expat and you want to access Yandex or another tool or application that's hosted within the country, it may be the case that it slows down, or it just becomes inaccessible for users from certain countries. 

David Belson: [00:16:08]  But I think that the bigger threat, to be honest, is that other countries are looking at this and monitoring the effort, monitoring the potential success and looking to implement something similar within their countries. We saw this with - around last month, for instance. They had a multi-day internet shutdown there. And, you know, talking to some of the folks within the industry, it appears that it may have been something of a trial run for their national intranet, which they've been talking about doing for several years. 

Dave Bittner: [00:16:43]  I've heard some policy folks refer to it as the splinternet, that, you know, we'll have these sort of - perhaps islands around the world. What does it mean for internet providers, the folks who are routing the traffic around the globe? 

David Belson: [00:16:59]  It's a complex system to start with, but I think it's going to wind up adding complexity because you now have potentially these islands of connectivity that exist within a country or outside of the country. So, you know, questions of how do I route this traffic - if the traffic is coming from within one of these splinternet countries, you know, does it get routed outside the country, or does it have to stay within? If I'm an international provider, an international backbone provider, I need to figure out, you know, can I reach endpoints within that given country. And if so, how? 

David Belson: [00:17:32]  The Russian model now is talking about only exchanging traffic at specific, approved internet exchange points. So that may create challenges as well for these international providers, where today, because the Russian internet has grown up a little more freely over the years, there are dozens of internet exchange points out there - or within the country, excuse me - connecting hundreds of networks. So that may change if I'm an international network provider or an international content provider going forward under this new law. 

Dave Bittner: [00:18:05]  Does it mean that we'll end up with some pinch points where, you know, all data has to route through specific areas for inspection, if you will - you know, a border stop virtually? 

David Belson: [00:18:19]  Under this law, yes. Absolutely in Russia. That's what they've said, is that domestic traffic will have to only be exchanged within these approved internet exchange points. There is a component within the law about switching to a - effectively a national DNS system, so basically where they can control the ability to enable a user to get to twitter.com or what have you - Wikipedia, whatever. 

David Belson: [00:18:45]  Not only are they potentially limiting the number of exchange points that the traffic can go through, but they're also talking about implementing filtering and things like deep packet inspection at those exchange points. My understanding is that the providers locally are starting to warn users that this may result in slower services ultimately, you know, because all those - all that traffic has to go through those now limited number of pinch points. 

Dave Bittner: [00:19:07]  Do we suppose that folks are going to spin up workarounds? I mean, I'm imagining sort of the internet version of pirate radio stations. 

David Belson: [00:19:15]  (Laughter) It's likely that they will try to. You know, my understanding is that there's already been some efforts online to talk about, OK, if this goes into place, here's how we can get around it. You know, that may be VPNs. It may be using alternative DNS providers. It may be using alternative tools that can enable traffic to masquerade. So, you know, traffic that's normally, you know, over one protocol can sort of be smuggled over a different protocol that may not be getting filtered, or it may be much harder to filter. So I think that as this is implemented, we'll definitely see efforts to circumvent it. 

Dave Bittner: [00:19:49]  What's been the response from other nations around the world, you know, those who are interested in a free and open internet? 

David Belson: [00:19:55]  Certainly not a positive one, at least among those countries. For those of us that are interested in a free and open internet, we don't want to see something like this. You know, the other challenge as well is that these efforts ultimately reduce internet resilience as a whole. So the internet is an interconnected network of networks. It only works successfully when everybody is sort of behaving themselves and cooperating. When these things start occurring, it ultimately lowers the resiliency of the global internet. That's a bug, not a feature. Russia may be looking at as a feature, but for everybody else, it's really a problem. 

David Belson: [00:20:31]  So, you know, we may not see things immediately, but I think over time, we'll have to continue to watch and see, you know, is there - are there any artifacts of what they're doing here? But I think that we also need to continue to work as an industry and as a community to convince the legislators and the policymakers in countries that maybe are looking at this with interest that this is not the right approach, and this is not the road they should be going down, that their free and open internet is critically important and that it has ultimately, you know, a number of benefits for their country. Even if they're looking at it and saying, you know, Jesus loves our citizens to communicate or to organize or what have you, there's a number of other impacts, a number of other benefits that an open internet has for them as well that they need to really understand and focus on. 

Dave Bittner: [00:21:22]  That's David Belson from the Internet Society. 

Dave Bittner: [00:21:22]  And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:21:35]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.