Sequelae of the US Reaper strike against the Quds Force commander. Warnings of Iranian retaliation, with an emphasis on cyberspace. Espionage in Austria, and a second look at an LSE outage.
Dave Bittner: [00:00:00] Hey, everybody, Dave here. Just a reminder that we are excited to announce our new subscription program, CyberWire Pro. It's coming in early 2020. For cybersecurity professionals who need to stay abreast of their rapidly evolving industry, CyberWire Pro is an independent news service you can depend on to stay informed and save time. This unique offer includes valuable content, such as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much more. Sign up to be one of the first to know of the CyberWire Pro release at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out.
Dave Bittner: [00:00:43] Iran vows retribution for the US drone strike that killed the commander of the Quds Force. The US prepares for Iranian action, and the Department of Homeland Security warns that cyberattacks are particularly likely. Some low-grade Iranian cyber operations may have already taken place. Austria's Foreign Ministry sustains an apparent state-directed cyber espionage attack. And the U.K. authorities are taking a second look at the August outages at the London Stock Exchange.
Dave Bittner: [00:01:17] And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud security failures will fall on customers, not service providers. Now that network detection and response is available in the public cloud, it's finally possible to close the visibility gaps inside your network. ExtraHop Reveal(x) Cloud brings cloud-native network detection and response to AWS, helping security teams spot, contain and respond to threats that have already breached the perimeter. Request your 30-day free trial of Reveal(x) Cloud today at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:37] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 6, 2020. The news, as it's developed over the weekend, centers on heightened tension between the US and Iran in the wake of attacks against US forces in Iran and the US retaliation that killed Iranian Major General Soleimani. Iran has promised retribution, and many believe that such retribution is likely to include a heavy cyber component. Fifth Domain offers an account of what an Iranian cyber campaign might look like. Betting on form, and with the initial reservation that Iranian operators have shown themselves capable of innovation, and therefore able to mount unexpected attacks, the experts Fifth Domain talked to think a data destruction attack to be one likely option. The Shamoon attacks against Saudi Aramco offer a precedent.
Dave Bittner: [00:03:31] Cyber espionage designed to develop target indicators for a kinetic attack is also a possibility. Iran has also engaged in distributed denial-of-service actions against US financial targets, and it has doxed the Saudi government, so the theft and release of sensitive documents would also be a possibility. Finally, Tehran is believed to have studied Russian attacks against Ukraine's power grid, and they've demonstrated the ability to hit infrastructure targets, including Bahrain's water distribution systems.
Dave Bittner: [00:04:02] Iranian operators, we might add, are also known to have taken an interest in US infrastructure. They have been attentive consumers of open-source material on ICS vulnerabilities, and they also conducted one easily overlooked attack, the 2013 intrusion into the control system of the Bowman Street Dam in downstate Rye, NY. That particular incident involved a small flood control dam and had no perceptible effect - the controls were offline for repair at the time - but it's an interesting cautionary tale. It was either a proof-of-concept or a demonstration or a shot across the Yankees' bow or - and this may be the most interesting possibility - a case of misidentifying the target. New York's Bowman Street Dam is very small infrastructure potatoes indeed, but there's a big irrigation dam in Idaho, the Bowman Dam, interference with which would have presented more serious problems. And Tehran's hackers might have believed themselves to be on to the dam in Idaho as opposed to the one in New York. So an ICS attack is among the realistic possibilities.
Dave Bittner: [00:05:10] That's also the official view of the US Department of Homeland Security. Cybersecurity and Infrastructure Security Agency Director Krebs tweeted a warning and a recommendation that enterprises brush up on Iranian cyber tactics, techniques and procedures - quote, "pay close attention to your critical systems, particularly ICS" - end quote. Do note CISA's emphasis on ICS - that is, industrial control systems. The Department of Homeland Security's bulletin on the National Terrorism Advisory System elaborates in part as follows - quote, "Iranian leadership and several affiliated violent extremist organizations publicly stated they intend to retaliate against the United States. At this time, we have no information indicating a specific credible threat to the homeland. Iran and its partners, such as Hezbollah, have demonstrated the intent and capability to conduct operations in the United States. Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber-enabled attacks against a range of US-based targets. Iran maintains a robust cyber program and can execute cyberattacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States," end quote. So among the Iranian tactics Director Krebs advises everyone to review, the use of proxies figures prominently.
Dave Bittner: [00:06:39] A great deal of Twitter traffic associated with Tehran has organized itself around the preexisting hashtags #HardRevenge and #DeathToAmerica, as CyberScoop, citing the Atlantic Council studies, reports. There's also been one minor attack on a US government website that would seem to represent the work of either Tehran's operators or of patriotic hacktivists aligned with Iran. The website of the US Federal Depository Library Program, a GPO site that makes official documents broadly available, was defaced with Iranian messaging, Forbes and others report. Forbes characterizes it as a noisy attack, which is usually the case with cyber vandalism. The Department of Homeland Security is investigating, and as NBC News quotes CISA representatives, "it's too early for firm attribution." Quote, "At this time, there is no confirmation that this was the action of Iranian state-sponsored actors," end quote.
Dave Bittner: [00:07:35] SiliconANGLE, in its reporting, calls the hack the beginning of a potential cyberwar. That's not entirely wayward, but it is a bit breathless given that, really, this is hardly like General Beauregard firing on Fort Sumter or Moltke the Younger ordering the Kaiser's troops through Belgium. The affected site itself is neither a high-value or a high-payoff target. It's maintained by the US Government Printing Office as a low-cost, accessible way of providing interested citizens with easy access to official documents, like the full text of congressional bills and that sort of thing. The Federal Depository Library was probably a simple target of opportunity, hacked because it was hackable. We've seen that more than once over the past decade. At one time, the website's of small cities in the US Midwest were common targets of this kind of online vandalism, and that wasn't because the attackers thought the heartland was anything like the throbbing heart of the Great Satan; it's because the sites were small and casually constructed, it's because they were there and accessible.
Dave Bittner: [00:08:38] One odd bit of fallout from the US strike against Soleimani was a run on the US Selective Service agency's website that actually rendered it temporarily unavailable over the weekend. Younger Americans were responding to a meme that foretold a return of the draft should there be a full-scale war between the US and Iran. There was a similar run on the federal student aid site. Perhaps all of this is due simply to a lingering cultural memory of the way Dean Wormers delivered Delta House's midterm grades. In any case, a resumption of conscription is, to say the least, highly unlikely. But the rush to the draft board site is an instructive incident of the swift propagation of a meme.
Dave Bittner: [00:09:21] While people focus on US-Iranian tension, there is, of course, other activity in cyberspace. Austria's foreign ministry was hacked late last week in what appears to have been a foreign espionage campaign. Vienna is being cagey about attribution, as the BBC reports, and cagey about the details of the attack. But the BBC does bracket its own reporting of the few known facts with a review of Russian cyber espionage campaigns that suggests the way speculation at least is currently running.
Dave Bittner: [00:09:51] And finally, The Wall Street Journal says that Britain's GCHQ is investigating the possibility that a London Stock Exchange outage in August, regarded as an accidental glitch, may have, in fact, been a cyberattack. The London Stock Exchange said at the time that, quote, "a technical software issue had temporarily prevented trading in a range of securities," end quote, but it hasn't, according to the journal, explained just what the issue was. British authorities are looking into the possibility that if the incident was an attack, the attackers' goal might have been erosion of confidence in the financial sector, specifically, and in Britain's critical infrastructure, generally. So by all means, Cheltenham, dot the I's and cross those T's.
Dave Bittner: [00:10:41] And now a word from our sponsor, BlackCloak. Do you worry about your executives' personal computers being hacked? How about their home network, with all those IOT goodies they got over the holiday? Or credential stuffing attacks because of their password reuse? Executives and their families are targets, but unlike the corporate network, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cyber controls, hackers have turned their attention to the executives' home network and devices which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BloackCloak are able to deploy their specialized controls that protect your executives and their families from hacking, financial loss and privacy exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloack.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show.
Dave Bittner: [00:12:01] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: [00:12:10] It's good to be back, Dave.
Dave Bittner: [00:12:11] This is a fun one I want to share with you. This is this something I came across on Twitter. It's from a gentleman named Michael Altfield. He's got a blog, and it's titled "Introducing BusKill: A Kill Cord for Your Laptop." And Michael's addressing a particular security concern here. I shared this with you. You want to take us through what's going on here?
Joe Carrigan: [00:12:31] OK. So here - it's an operational security concern.
Dave Bittner: [00:12:33] OK.
Joe Carrigan: [00:12:34] Not really a cybersecurity concern - right? - because at the end of the article, he says, you know, what if you've done everything right, right? You've got a password manager. You've got two-factor authentication. You're using a VPN at a coffee shop, right?
Dave Bittner: [00:12:44] Right.
Joe Carrigan: [00:12:44] And you're - you've accessed your bank account. And at that point in time, someone comes and snatches your laptop.
Dave Bittner: [00:12:50] So you're sitting at a coffee shop, doing your business.
Joe Carrigan: [00:12:53] Right. Yep.
Dave Bittner: [00:12:53] Someone comes along. I can imagine you or I sitting there. Someone much younger and more fit than either of us...
Joe Carrigan: [00:12:59] Right.
Dave Bittner: [00:12:59] ...Which is not hard to do...
Joe Carrigan: [00:13:00] No.
Dave Bittner: [00:13:01] ...Comes and snatches that laptop and runs away.
Joe Carrigan: [00:13:04] No way I'm catching that guy.
Dave Bittner: [00:13:05] And you're logged in.
Joe Carrigan: [00:13:06] Yeah, I'm logged in. Exactly.
Dave Bittner: [00:13:07] So they have access to things.
Joe Carrigan: [00:13:08] They have access to my bank account.
Dave Bittner: [00:13:09] OK, that's the scenario.
Joe Carrigan: [00:13:10] And despite the fact I've used my two-factor authentication, my password manager and my VPN, they still have access to my account. Well, what Michael has done is address this concern.
Dave Bittner: [00:13:20] OK.
Joe Carrigan: [00:13:21] And it's kind of a clever fix. But I'm going to start off by saying there's a caveat - Michael has developed this on a Linux machine, where you have a lot more control over what's going on.
Dave Bittner: [00:13:30] Yeah.
Joe Carrigan: [00:13:30] And what he's done is there's a service in Linux called udev. Now, udev is the device manager for the Linux kernel.
Dave Bittner: [00:13:36] OK.
Joe Carrigan: [00:13:37] All right? And in Linux, like in all the other Unix-like operating systems, everything is considered to be a file at some point in time, including the devices that you plug in to your computer.
Dave Bittner: [00:13:48] OK.
Joe Carrigan: [00:13:49] And udev is how you manage those devices when they're connected.
Dave Bittner: [00:13:53] I see.
Joe Carrigan: [00:13:54] So what he's built here is actually a pretty clever device. He has gone out and gotten himself a USB cord that has a magnetic connection to it.
Dave Bittner: [00:14:04] Like a breakaway cord.
Joe Carrigan: [00:14:05] Right. Exactly.
Dave Bittner: [00:14:06] OK.
Joe Carrigan: [00:14:06] So the first time I saw these cords was when somebody had a deep-fat fryer that they put a breakaway cord on, right? The thinking being that if you were running a deep-fat fryer in your kitchen and a kid comes running through there and they run through the cord because they're kids and they're not looking, that what happens is the cord just breaks away and the fryer doesn't move; the fryer full of hot oil doesn't move.
Dave Bittner: [00:14:30] Right. Right. And similarly, we saw these - Apple had power cords this way. So if you...
Joe Carrigan: [00:14:34] Apple. Yeah. Apple has power cords like this, and they're magnificent.
Dave Bittner: [00:14:35] ...Yank the cord...
Joe Carrigan: [00:14:36] Right.
Dave Bittner: [00:14:36] ...It doesn't pull the laptop to the ground and shatter (laughter).
Joe Carrigan: [00:14:38] Right. Right. The Microsoft Surface, I think, also has the same kind of cords.
Dave Bittner: [00:14:42] OK.
Joe Carrigan: [00:14:42] So they're great cords. But this is a USB cord with that feature.
Dave Bittner: [00:14:45] OK.
Joe Carrigan: [00:14:45] And so the connectionism is maintained via a magnet.
Dave Bittner: [00:14:49] Right.
Joe Carrigan: [00:14:50] And then into that magnetic breakaway adapter, he has a 1-meter cable that is attached to a USB thumb drive, and that thumb drive has a key ring hole in it that he runs a key ring through with a carabiner on it, and then he takes that carabiner and he clips it to his belt or clips it to his person.
Dave Bittner: [00:15:10] Oh. So he is tethered to his laptop while sitting in the cafe.
Joe Carrigan: [00:15:14] Right.
Dave Bittner: [00:15:14] All right.
Joe Carrigan: [00:15:15] So now what happens is somebody comes along, they snatch the laptop, but in so doing, they break that magnetic connection, which breaks the USB connection. And the udev rule says, hey, that USB device just got disconnected; lock the screen.
Dave Bittner: [00:15:28] I see.
Joe Carrigan: [00:15:29] Right? And that's what happens, and that's how Michael addresses the snatch-and-grab security risk.
Dave Bittner: [00:15:36] I like it.
Joe Carrigan: [00:15:36] I like it, too. It's clever.
Dave Bittner: [00:15:38] I guess I question how - I guess if you're someone who would need this, I guess you'd know it (laughter).
Joe Carrigan: [00:15:43] Right. Right. Yeah. And it's unfortunate that he - well, it's not unfortunate. I shouldn't say that. Right now, this is only a Linux solution. I'd like to see something like this for Windows.
Dave Bittner: [00:15:54] Yeah, I see some folks in the comments have a version that would work on Mac, which is Linux-y? (Laughter).
Joe Carrigan: [00:15:59] Well, yeah, it's BSD-based.
Dave Bittner: [00:16:00] Right. Right.
Joe Carrigan: [00:16:01] Right? So you could absolutely run this on a Mac as well.
Dave Bittner: [00:16:04] Yeah.
Joe Carrigan: [00:16:05] But I'd like to see something implemented in Windows. That would be cool.
Dave Bittner: [00:16:08] Yeah. Yeah.
Joe Carrigan: [00:16:09] But no, this is really cool. I like the idea.
Dave Bittner: [00:16:11] Yeah, it's clever.
Joe Carrigan: [00:16:12] Yep.
Dave Bittner: [00:16:12] It's clever. Again, it's called "Introducing BusKill: A Kill Cord for Your Laptop." It's Michael Altfield's Tech Blog. Check it out. It's kind of a fun, little project. All right. Well, Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:16:23] My pleasure, Dave.
Dave Bittner: [00:16:28] And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:16:46] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. Every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:17:15] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.