The CyberWire Daily Podcast 4.12.18
Ep 576 | 4.12.18

Zuckerberg testimony. Supply chain cyber threat to satellites. DPRK destructive malware. "Early bird" code injection. GCHQ vs. ISIS. Germany blames compromise on Russia. Salisbury attack update.

Transcript

Dave Bittner: [00:00:00:17] A quick reminder that if you're attending the RSA conference this year, be sure to stop by in the North Hall to the Akamai Booth, that's N3625 where I will be appearing daily doing meet and greets and some interviews as well. And of course we thank Akamai for making these appearances possible. That's Akamai harnessing the Cloud without losing control. We hope to see you there.

Dave Bittner: [00:00:24:06] Facebook's CEO Mark Zuckerberg has finished testifying on Capitol Hill, denying that Facebook sells data or that it knew what those people at Cambridge were up to with the data they obtained. The supply chain cyber threats to satellites. North Korean destructive malware may be back. Early bird code injection. GCHQ takes on ISIS in cyberspace. Germany attributes a 2017 network intrusion to Russia. International body confirms British official accounts of the Salisbury nerve agent attacks.

Dave Bittner: [00:00:59:22] Time for a few words from our sponsor Cylance. You've probably heard of next generation anti-malware protection and we hope you know that Cylance provides it. But what exactly is this next generation and why should you care? If you're perplexed, be perplexed no longer because Cylance has published a guide for the perplexed, they call it Next Generation Anti-Malware Testing for Dummies, but it's the same principle. Clear, useful and adapted to the curious understanding. It covers the limitations of legacy anti-malware techniques and the advantages of artificial intelligence and why you should test for yourself, how to do the testing and what to do with whatever you find. That's right up my alley and it should be right up yours too. So check it out at cylance.com. Take a look at Next Generation Anti-Malware Testing for Dummies. Again, that's Cylance, and we thank them for sponsoring our show.

Dave Bittner: [00:02:01:01] Major funding for The CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, April 12th, 2018.

Dave Bittner: [00:02:13:10] Facebook CEO Zuckerberg testified before the US House yesterday, deflecting suggestions that Facebook collect less information: "it's complicated," as one's relationship status so often is. Ranking member of the House Energy and Commerce Committee Frank Pallone, a Democrat of New Jersey, said he was disappointed by Facebook's unwillingness to limit its automatic collection of user data. Mr. Zuckerberg deflected the point by saying that his company's collection of data was, "a complex issue that deserves more than a one-word answer."

Dave Bittner: [00:02:45:23] Facebook's value of course lies precisely in the data that it collects and holds. Mr. Zuckerberg clarified several times to his inquisitors that "Facebook doesn't sell data." Taken narrowly and literally, that's true, but most who heard the testimony regard that statement as hair-splitting. What the Facebook CEO said was, "there's a very common misperception about Facebook - that we sell data to advertisers. And we do not sell data to advertisers. We don't sell data to anyone. What we allow is for advertisers to tell us who they want to reach, and then we do the placement." As Motherboard pointed out, Facebook doesn't sell your data, but profits from it. Representative Greg Walden a Republican of Oregon went on to say, "but it’s also just as true that Facebook’s user data is probably the most valuable thing about Facebook, in fact it may be the only truly valuable thing about Facebook."

Dave Bittner: [00:03:41:05] TechCrunch pointed out that one surprising bit of testimony threw some shade in the direction of Cambridge University. Mr Zuckerberg asked if Facebook intended to take legal action against Cambridge Analytica and its university partners, didn't answer directly, but he did expand on how he disapproved of what he'd learned about Cambridge University's use of Facebook data for research. Which he indicated he'd learned of when the Guardian broke the story in 2015. Mr Zuckerberg said, "so we do need to understand whether there is something bad going on at Cambridge University overall that will require a stronger action from us."

Dave Bittner: [00:04:19:14] He and his direct reports may not have known, but plenty of people at Facebook almost surely did. Cambridge University wasn't amused, and offered the following statement, "we would be surprised if Mr Zuckerberg was only now aware of research at the University of Cambridge, looking at what an individual’s Facebook data says about them. Our researchers have been publishing such research since 2013 in major peer-reviewed scientific journals, and these studies have been reported widely in international media. These have included one study in 2015 led by Dr Aleksandr Spectre (Kogan) and co-authored by two Facebook employees."

Dave Bittner: [00:04:57:00] Mr. Zuckerberg's testimony is now in the books. Congress will continue its deliberations and inquiries.

Dave Bittner: [00:05:03:22] The City of Atlanta recently made headlines for falling victim to a ransomware attack. And the amount of time it's taken to get things back up and running. Oren Falkowitz is CEO at Area 1 Security. And he shares his take on the situation.

Oren Falkowitz: [00:05:19:11] The city of Atlanta, you know, like many businesses and, and organizations before has become a victim of cyber attack, in this case ransomware. The interesting thing about, you know, ransomware attacks is that almost 99 percent of them start with what's known as phishing, where users probably within the network either received an email and clicked on a link and entered their username and password somewhere else, or visited a website or downloaded a file that they got this thing kicked off.

Dave Bittner: [00:05:50:04] And so I think what, what struck a lot of folks is how long it's taken them to get things back up and running.

Oren Falkowitz: [00:05:56:16] Yeah, absolutely, well, I think you know, it's inextricably tied to preparedness in this case the city and I think some of the public comments from the city have indicated that they really just weren't prepared for this. Either in pre-empting or taking early action to prevent the incident from happening to begin with. And secondly, from a mitigating the, the fallout therefrom. That, that being said, you know, it's not atypical. You know, once attackers can get very deep inside your network, it is very difficult to root them out and it does often shut down operations. You may recall in the Sony hack a few years ago, they resorted to using pen and paper for, for a little while. This is a very common phenomenon that once you get to this point. It's really hard to rebuild the integrity and trust within your computer systems.

Dave Bittner: [00:06:49:08] Yeah, and you know, I mean, there's that old saying that an ounce of prevention is worth a pound of cure, what do you suppose they could have done a better job with to prevent this in the first place?

Oren Falkowitz: [00:06:59:10] It's probably a little bit too early to, to give a definitive statement not knowing all of the, the details. But, but it's clear that a greater focus on preempting phishing attacks which is likely how these types of ransomware got into the network and I'm sure there are a variety of other mechanisms that we'll learn about over the coming weeks.

Dave Bittner: [00:07:20:15] We hear a lot recently that the bad guys are relying on things like phishing, these human factors to be able to get into the systems because it's inexpensive and it works. How much of the solution to this is a technical one and how much comes down to training?

Oren Falkowitz: [00:07:34:17] Well, training, you know, is a totally inefficient and ineffective solution for this. You know, everybody has a training program and if it was an effective solution, there would be far less breaches. There is no evidence that humans can be trained to become perfect robots in any discipline. We've, we've done training in our armed forces, we do training in sex education, we do training in the ability to drive cars and we continue to see humans operate with lots of error rates there. It only takes one person to click. This is a problem that needs to be solved with technology. It's perfectly within our capabilities to do that, but it requires the right kind of focus. You know, the interesting thing about phishing is that over 95 percent of all the incidents that are occurring around the world begin with phishing. And so it is the root cause for insecurity, for damage, for societal, you know, collapse as it relates to cyber security. And it needs to be solved with a technological approach.

Oren Falkowitz: [00:08:40:00] The cybersecurity industry today is suffering from a lack of accountability. Today people are buying more and more products and they're not getting higher results. And it's imperative that the people buying products and the companies that are helping to stop this problem really start focusing on being accountable and going towards performance models for their solutions so that people can be assured they're getting what, what they purchased.

Dave Bittner: [00:09:08:06] That's Oren Falkowitz from Area 1 Security.

Dave Bittner: [00:09:12:23] North Korean destructive malware with features not seen since the 2014 Sony Pictures hack is believed to have returned, according to documents obtained by Foreign Policy.

Dave Bittner: [00:09:23:15] A Secure World Foundation report concludes that cyberattacks on satellites are likelier than the kinetic destruction of orbital platforms, despite some recent tests of early-stage anti-satellite interception technologies. The report discerns signs of growing Chinese and Russian interest in this cyber mode of attack. It conceives the risk as largely a supply-chain problem, with Russian or Chinese suppliers of code and subcomponents building exploitable vulnerabilities into the satellites whose manufacture and operation rely on a globalized network of suppliers. In any case it's a lot easier to leave a debugger in a product than it is to hit something in geosynchronous orbit with an interceptor. The kinetic interception is flashier and splashier, but let's not confuse cost with value. Bricking a satellite works just as well as breaking it into small pieces.

Dave Bittner: [00:10:16:20] Security firm Cyberbit reports finding what it calls a new "early bird" code injection technique in which malicious code runs prior to a process's main thread. This enables attacks to bypass many antivirus protections. The technique is appearing in the Iranian threat group APT33's TurnedUp backdoor, in Carberp banking malware, and in DorkBot malware. Defensive techniques will no doubt evolve swiftly to handle this form of code injection, but it's an interesting move in the offense-defense seesaw.

Dave Bittner: [00:10:49:07] Britain's GCHQ says it conducted offensive cyber action against ISIS, successfully disrupting the terrorist group's operations and propaganda.

Dave Bittner: [00:10:58:07] German authorities have cautiously attributed a campaign against the Federal Republic's government and political networks to Russian state actors. Hans-Georg Maassen, chief of the BfV, the domestic counterintelligence service, says they can't be sure it was Fancy Bear (Russia's GRU) and that the unlikely possibility of a false flag operation can't be entirely ruled out, but that nonetheless they regard attribution of the attacks to Russia with "high likelihood."

Dave Bittner: [00:11:26:01] Russian authorities continue to deny any involvement with the Russian nerve agent attack in Salisbury last month. But the independent investigation they asked to reveal the whole matter as a British provocation, hasn't turned out as Moscow presumably hoped. Laboratory investigation of samples by the Organization for the Prohibition of Chemical Weapons found that the UK had correctly characterized the agent. They didn't call it "Novichok" or say "Russia did it," but they did note that the test samples' unusually high degree of purity strongly suggested state activity. The OPCW's statement, released last night and distributed to members this morning, said in part, "The results of analysis by OPCW-designated laboratories of environmental and biomedical samples collected by the OPCW team confirm the findings of the United Kingdom related to the identity of the toxic chemical that was used in Salisbury and severely injured three people."

Dave Bittner: [00:12:22:17] An emergency follow-up meeting, requested by the British Government, will be held next week. Russia has long called the attack a British provocation, probably mounted with an assist from the US and maybe the Czech Republic. Russia's London embassy has also issued a statement in response to Yulia Skripal's decision to decline a visit from Russian consular personal to check on her welfare. This decision is understandable, one might think, in view of her experience with nerve agent poisoning, and anyway, as she put it, if she decides she wants to talk to them, they're not difficult to reach. The Russian embassy says that it suspects that Ms Skripal is being held by British security services. As they put it, "the document only strengthens suspicions that we are dealing with a forcible isolation of the Russian citizen." Nobody really believes this, but the episode shows the degree to which it's apparently possible to double-down on the disinformation when the breaks are beating the boys.

Dave Bittner: [00:13:25:13] And now, a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with micro-segmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security: thecyberwire.com/vmware. And we thank VMware for sponsoring the CyberWire.

Dave Bittner: [00:14:26:03] And I'm pleased to be joined once again by Chris Poulin. He's the director of Connected Product Security at Booz Allen Hamilton. Chris, welcome back. I saw an interesting article come by from Ars Technica and it was singing the praises of the latest Cadillac that has a feature called Super Cruise which is one of many of these self-driving systems that you know, some of the high end cars have. Well, some of the things that struck me about this Cadillac system was that it has sensors built into the steering wheel that keep an eye on you while you're driving and specifically while this auto driving system is engaged, to make sure that you are keeping your gaze on the road. So it's actually monitoring your attention. And I think it's fascinating how many sensors are in these new cars.

Chris Poulin: [00:15:11:10] Yeah, you know, it's interesting. I don't think that a lot of the consumer automobile owners actually understand how many sensors are either in the car or being considered. You know, so for example there are sensors to monitor your heart rate to detect if you're having a heart attack while you're driving or, or some sort of, some heart condition. There are scales in the seat to detect whether or not you're the same passenger as you were before. There are analytics to detect the type of driving, you know, so effectively the car is trying to get to know you and so it's, that's an opportunity. I think it's, it's great in many cases you know, so if you were looking for teenage drivers and who were more apt to text maybe that eye, even if they're not engaging the Super Cruise they, it can detect whether or not they're paying attention or they're texting their friends or whatever. So that's, it's great in that sense.

Chris Poulin: [00:16:01:13] But there's also the privacy concern and it kind of freaks people out, quite honestly. You know, there's always that trade off and I think you and I have talked about that before, which is the functionality versus privacy. And how do you get passed, and I know this is not exactly what the uncanny valley is all about, but it's pretty close which is that even though the cars don't look like humans, which is technically what uncanny valley is, is characterized as. It's still trying, it's still a smart automobile. And so when do people get beyond the creepy feeling that the vehicle knows too much about them? Or that their, their Echo Dot knows too much about them, or their Google home, you know, is listening in on them. So, we're kind of in this weird little area, we're getting acclimated. And I heard a story, maybe from you, by the way, that elevators, used to have elevator operators back in the whatever, 1920s and '30s.

Dave Bittner: [00:16:50:16] Yes, yes.

Chris Poulin: [00:16:52:00] Were you one who told me this?

Dave Bittner: [00:16:52:15] I was, I was but go on, it's a good story.

Chris Poulin: [00:16:54:21] Yeah, because even though the elevators could in fact operate autonomously, you know, the people could do what they do now which is press the button and the elevator would operate without the operator. They felt more comfortable with someone who was an expert to actually operate the elevator. And so sort of this interim step, it's this, it, it bridges you between something you're familiar with, and something that you're not and I, that's what's happening with the automotive industry right now. I actually heard somebody, I know I'm going a little bit off topic. I was listening to the radio and the host were talking about the fact that they're not technical people, you know, that their autonomy, full autonomy I believe, if I read or heard this correctly, is being, has been legislated. It's being allowed in California, or some places in California for some cars.

Chris Poulin: [00:17:40:02] And so they were like, "Oh, I'm never going to get into a self-driving vehicle." And then one of the hosts says, "Well, what happens if it's snowing out?" and I find that an odd thing to think about in a negative way because humans are notoriously awful at driving in the snow, in fact I think the same hosts were talking about how bad people drive in the snow and the rain in the first place. And so, vehicles are going to be better at doing that than humans are in the first place, once you get beyond certain technical challenges that, you know, I think we're either past or we're right on the verge of passing. So I think it's kind of interesting that there is this perception that humans are still better at doing things than machines are in some cases.

Dave Bittner: [00:18:17:21] Yeah, no, it's, it's interesting, I'd be interested to see how that transition goes. Chris Poulin, thanks for joining us.

Chris Poulin: [00:18:23:06] Thank you.

Dave Bittner: [00:18:29:00] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.

Dave Bittner: [00:18:50:12] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.