The CyberWire Daily Podcast 6.19.18
Ep 623 | 6.19.18

Charges in Vault 7 case. Olympic Destroyer appears to be back. Liberty Life hack. Does Tesla have a rogue insider? US Senate hits at ZTE. Guilty plea in OPM hack-related fraud. Motive: blackmail.

Transcript

Dave Bittner: [00:00:03:09] The US has charged a former CIA engineer in the WikiLeaks Vault 7 case. Olympic Destroyer may be back and preparing to hit chemical weapons investigators and arms control specialists. Updates on the Liberty Life data extortion investigation. Elon Musk says Tesla Motors has an internal saboteur. The US Senate snatches the lifeline out of ZTE's hands. A guilty plea in OPM-breach-related fraud and a possible motive in the Jeopardy champ's email hacking.

Dave Bittner: [00:00:39:11] Now a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest paper entitled "More Is Not More." Busting the myth that more threat intel feeds lead to better security. It's a common misconception that a large quantity of threat intelligence feeds leads to more effective security. Unfortunately, threat feed overindulgence can lead to confusion, disorganization and inaccurate threat reports. Instead of adding more threat intel feeds, you should incorporate the feeds that provide the most value to your company's security operations. Find the paper or to register for a free ThreatConnect account, visit threatconnect.com. That's threatconnect.com. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:02:00:01] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, June 19th, 2018.

Dave Bittner: [00:02:12:13] The US Justice Department yesterday announced that it has charged Joshua Adam Schulte with "unauthorized disclosure of classified information and other offenses relating to the theft of classified material" from the CIA. These charges have long been under preparation. Schulte was arrested in New York back in August of last year on charges related to child pornography. The FBI and the Department of Justice have since then been preparing a case against him in the matter of WikiLeaks' Vault 7, a public dump of alleged CIA documents by Julian Assange's gadfly operation. Schulte is alleged to be the source, or at least a major source, of Vault 7's contents. The defendant's careless search for, and online communications about illicit pornography are thought to have constituted the opsec mistakes that led Federal agents to him in the first place. A Federal grand jury issued the superseding indictment—superseding the original child-pornography charges—that included thirteen counts. The Government believes Schulte's alleged theft of classified information occurred in 2016. WikiLeaks dumped Vault 7 online in 2017.

Dave Bittner: [00:03:27:11] Olympic Destroyer, the threat group responsible for disruption of digital aspects of this past winter's Pyeongchang Olympic games, is apparently back. Kaspersky Lab is tracking activity that looks very much like Olympic Destroyer's against organizations associated with chemical and biological weapons control. Targets in Germany, France, Switzerland, Russia and Ukraine are said to have been spearphished. One of the malicious Word files found among the attachments in the spearphishing emails make reference to the Spiez Convergence 2018, a conference in Switzerland organized by the Spiez Laboratory and scheduled for this coming September. The conference will assess new biological developments and their "potential implications for chemical and biological arms control."

Dave Bittner: [00:04:16:10] The evidence for Olympic Destroyer's renewed activity lies principally in the obfuscation and spearphishing macros the recent attacks have employed. Kaspersky as is its custom offers no attribution, but it did comment that the techniques are similar to those used by Sofacy, a threat group associated with Russia's GRU. US officials concluded in February that Olympic Destroyer was a Russian operation cloaked by false flags intended to divert suspicion toward North Korea. Russia had resented the exclusion of its Olympic team from the winter games on grounds of illicit doping.

Dave Bittner: [00:04:52:12] This time the resentment appears to be rooted in a different sort of chemical activity: the nerve agent attack in Salisbury, England, against an exchanged GRU double-agent and his daughter, and various chemical attacks by Russia's client Assad against rebel and less-than-perfectly loyal civilian populations in Syria. Russia has objected strongly to investigations linking it to these incidents, and the Spiez Laboratory played a significant role in attribution of the Salisbury nerve agent attack to Russia. Moscow claimed, to almost universal skepticism, that the attack was a British-American provocation aided and abetted by the Czech government, which Russian sources said provided the Novichok agent used in the attempted assassinations.

Dave Bittner: [00:05:38:19] This latest spearphishing round appears to be battlespace preparation. The attacks are complex. Some of the targets are clearly connected with chemical and biological arms control, but others are not only unrelated—that is, they're banks—but also Russian—Russian banks. This is probably misdirection. There's no reason an early stage reconnaissance and staging would have to develop into a damaging attack, so Russian banks may not in fact be at realistic risk. And even if they were, there's a historical willingness to break eggs in the making of omelets that goes back very far in Russia, through Stalin and Lenin and back to Father Gapon.

Dave Bittner: [00:06:21:15] Another set of meetings will also be worth watching in this context. The Organization for the Prohibition of Chemical Weapons, the OPCW, will, at the request of the United Kingdom, hold a Special Session of the Conference of the State Parties on June 26th and 27th. It's expected to address the non-attribution problem surrounding chemical weapon use and, in particular, to be a forum at which the UK and other states will forcefully bring up both Salisbury and Syria. This is only the fourth special session the OPCW in its two-decade history. OPCW should look to its emails.

Dave Bittner: [00:06:57:21] Many of us believe it's important to give back to the infosec community and, of course, there are a variety of ways to do that. Lenny Zeltser is VP of Product Management at Minerva Labs and an instructor and author at Sands Institute. He's put together a collection of free "cheat sheets" for IT and security professionals. Here's Lenny Zeltser.

Lenny Zeltser: [00:07:20:13] The first one that I created, I believe, was the one called "Malware analysis and reverse engineering cheat sheet."

Dave Bittner: [00:07:28:07] There's a wide variety here. Everything from tips for creating and managing new IT products to critical log review checklists for security incidents and one of my personal favorites "How to suck at information security."

Lenny Zeltser: [00:07:43:01] Yes, we could all use a little bit of advice on how to suck at information security if we're into the idea that reverse psychology is something that might actually work in persuading others to pay more attention to information and cybersecurity. Yes, I wrote that one, as you would expect, with a bit of a tongue in cheek attitude, but it's one that's been getting quite a bit of attention because, you know, when you work in cybersecurity, there's always some practice that you have witnessed that really annoys you and you wish you could share with others what not to do.

Dave Bittner: [00:08:16:05] Why don't we dig in? Can you share a couple of the suggestions here for how to suck?

Lenny Zeltser: [00:08:22:24] So, here's some advice related to password management. Require your users to change passwords too frequently. It's one of those things where it feels inherently like a good thing for security. Hey let's change passwords all the time; once a week, once a month or once a quarter. But, of course, those of us who have been doing this for while realize that that simply encourages people to pick passwords that are easy to guess, so that's one. Or another advice, delete logs because they're becoming too big to read. Just get rid of those logs, I'm sure you won't need them. Or classify all of your data assets as being highly confidential or top secret. It's one of those tactics where, if you're moving and packaging your stuff into boxes, if you label everything fragile, that just means nothing is fragile. And those of us in the security space who want to be extra cautious with information, if we label everything top secret or highly confidential then people start paying attention because, well, if everything is confidential and top secret then how do you apply security practices differently to data that maybe doesn't require as much protection?

Dave Bittner: [00:09:31:01] Why is it important for you to put this out there and encourage the sharing of it?

Lenny Zeltser: [00:09:34:23] I appreciate the fact that everybody has their own spin on advising people in relation to IT or information security practices. I shared with others what I feel was important, but I also recognized that somebody else might have different advice, might want to add, modify or remove some of the tips that actually I had in my cheat sheets. So, that's one of the key reasons why I licensed these cheat sheets using the creative common attribution license, which means people can take cheat sheets and use them in any way that they want, as long as they attribute the source of the original cheat sheet to me, the author, and I make these available, not just on my website, but also as files that people can download in a PDF format or, perhaps, most usefully in Microsoft Word format. When people do that, I would encourage them to try to stick by the self-imposed limit that I defined, well just for myself, and others might disagree but in most cases my goal is to fit everything in the cheat sheet on a single page and I believe, by trying to limit the space in which I can offer advice, forces me to be really selective and succinct about what it is I'm trying to say.

Dave Bittner: [00:10:51:06] That's Lenny Zeltser. You can find all of his cheat sheets at zeltser.com/cheat-sheets.

Dave Bittner: [00:11:00:13] Observers speculate that Liberty Life may have been the victim of a malicious insider. The South African insurance company disclosed Saturday that it was undergoing extortion by criminals who threatened to release sensitive client data if they weren't paid their ransom demands.

Dave Bittner: [00:11:16:14] Another malicious insider may be behind "sabotage," including deliberately bad coding and data theft, at Tesla, or so Elon Musk believes. The founder of Tesla, SpaceX, and the Boring Company has sent a company-wide email to "Everybody" in which he said, "I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations. This included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties." The story is developing.

Dave Bittner: [00:11:57:02] The US Senate voted yesterday to revoke the lifeline the Administration had extended to ZTE. Huawei appears to be in Congressional crosshairs as well. Both Chinese companies are widely suspected by Five Eyes security services to be too cozy with Chinese intelligence. ZTE's stock price plummeted 25% upon the news.

Dave Bittner: [00:12:18:21] If you wondered what all that personal information stolen from the US Office of Personnel Management, that's OPM, was used for, here's a partial answer: Karvia Cross of Bowie, Maryland, pleaded guilty yesterday to using PII stolen from OPM to get fraudulent personal and vehicle loans from the Langley Federal Credit Union. Her co-defendant, one Marlon McKnight, pleaded guilty earlier this month. There's, of course, no suggestion that Ms Cross or Mr. McKnight were the hackers who pwned OPM, but they certainly found a use for the data that spattered out.

Dave Bittner: [00:12:54:17] And, finally, to return one last time to the case of Jeopardy champion and sometime college history professor, Stephanie Jask - convicted of illicitly accessing email accounts at Adrian College. You may have wondered what she was up to; according to a fellow faculty member whom Jask told about her caper, Jask took advantage of a campus-wide password reset to, in her former colleague's opinion, scan email accounts for blackmail material. Sentencing is scheduled for next month.

Dave Bittner: [00:13:29:23] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption and they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on A Comprehensive Approach To Security Across The Digital Workspace will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security. Thecyberwire.com/vmware, and we thank VMware for sponsoring our show.

Dave Bittner: [00:14:31:15] Joining me once again is David Dufour. He's Vice President of Engineering and Cybersecurity at Webroot. David, welcome back. You know, the GDPR deadline has come and gone. I thought it would be good to check in with you to see what kind of things you're seeing on the ground. What effect it's had on your customers. What can you share with us?

David Dufour: [00:14:49:06] Hey David. First of all, thanks for having me back. GDPR, everybody talked about it, I think everybody thought the world was going to come to an end or the sky was falling, but I think we're rolling into it and we're just now starting to see implications of what's going on with GDPR and how it's going to affect us. Last week I was in London. There's a report of a mobile carrier there who had a data leakage and they immediately, when they found out about it, reported it publicly and so that's one positive effect of GDPR. We're seeing people reporting issues very quickly now when they occur. I personally was nervous for this company, because I don't know what their fine is going to be or how that's going to play out, but some positive things that we're seeing are organizations knowing they need to report this quicker and there's going to be a lot more leniency as they make those reportings as soon as possible.

Dave Bittner: [00:15:44:10] Now what are you seeing in terms of impact on US companies?

David Dufour: [00:15:48:05] Organizations that have high visibility to Europe, and I'm going to include ourselves into that, with offices over there, we spent a ton of time looking at data, looking at where we store information, putting processes in place and we actually had an internal initiative to be ready for GDPR because, effectively, we have offices over there and we knew it would directly have implications for us. But what I'm seeing in general is a lot of organizations in the United States who may run data centers in the States but have exposure to sales or customers in Europe, they're maybe not as prepared as they should be. So, I guess what I'm summarizing there is that people with boots on the ground in Europe really do feel it and people in the States, they're being a little bit more not as worried about because it's so far away.

Dave Bittner: [00:16:40:01] It was remarkable to me that even as we approached the deadline for it, it wasn't that unusual for me to come across someone who is in this industry and would say "I'm sorry, GDPR, what is that?"

David Dufour: [00:16:51:17] That is a little bit scary. I hope most people know about GDPR, but you're absolutely right. The competence level seems to be high. We've done some surveys, we've looked into how people were addressing this from a cybersecurity perspective, and competence levels seem to be high in terms of people's belief they're prepared. However, once we started drilling down into what would you do if you have identify the data you collect for a customer or what would you do if you had to get rid of information on a specific customer because they contacted you and wanted that data removed? They couldn't get very specific about how they would handle those types of scenarios, so not being able to answer those questions implies to me that a lot of organizations in the US maybe aren't quite as prepared as they should be and their plan is to have contact points, have the ability for someone to communicate with them about it, but kind of fill in the gaps as they go along on their processes.

Dave Bittner: [00:17:59:03] Now do you sense that folks are still holding their breath to see what happens once the fines start happening?

David Dufour: [00:18:05:11] Absolutely believe that. On some level, I can't fault organizations, especially smaller companies, because it's so expensive to try to prepare for something and not know exactly what you're trying to prepare for. So there's a little bit of hope that if I can fly under the radar I can see what's going to happen legally with the larger organizations and then trend my processes or the things that I need to do in that direction. But you are taking somewhat of a risk in that, because if you have a data breach and you have data from Europe and it becomes popular in the media, it could be game over for you.

Dave Bittner: [00:18:49:19] Well we're going to keep an eye on it, of course. David Dufour, thanks for joining us.

David Dufour: [00:18:54:13] Thanks for having me David.

Dave Bittner: [00:18:59:24] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com and Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor VMware, creators of Workspace ONE intelligence. Learn more at vmware.com. The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe and I'm Dave Bittner. Thank you for listening.