The CyberWire Daily Podcast 8.10.18
Ep 660 | 8.10.18

DPRK RAT in the wild. Vulnerable WPA2 4-way handshake implementations. Black Hat notes. Sanctions and retaliation. RoK to reorganize Cyber Command. PGA and ransomware.

Transcript

Dave Bittner: [00:00:03] US-CERT warns of a North Korean rat. Researchers find vulnerable WPA2 handshake implementations. A sales call results in inadvertent data exposure. Notes on Black Hat - circumspection, hype, barkers and artificial intelligence. Russia braces for U.S. sanctions and promises retaliation. South Korea will reorganize its cyber command. And the PGA is hit with ransomware.

Dave Bittner: [00:00:37] Time for a moment to tell you about our sponsor, ThreatConnect. With ThreatConnect's in-platform analytics and automation, you will save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. The pioneer in threat intelligence platforms, ThreatConnect provides organizations a powerful cyberthreat defense and the confidence to make strategic business decisions. And you can always learn more and get a free ThreatConnect account at threatconnect.com And we thank ThreatConnect for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:42] From the Black Hat conference in Las Vegas. It's a nice place to visit, but I wouldn't want to live here. I'm Dave Bittner with your CyberWire summary for Friday, August 10, 2018.

Dave Bittner: [00:01:54] US-CERT has warned of a new remote-access Trojan released by North Korea. McAfee and Intezer have conducted joint research into Pyongyang's attack tools, and they've found considerable code reuse. Some of the code that continues in use goes back to 2009's Bramble, one of the earlier malware strains to come from the DPRK. Code reuse is an obvious labor saver. Intezer is particularly confident that DPRK code reuse offers strong evidence for attribution. They call it the malware's DNA.

Dave Bittner: [00:02:31] More evidence of the importance of secure reimplementation comes from the Netherlands. Researchers at KU Leuven report finding vulnerabilities in implementations of the widely-used WPA2's four-way handshake.

Dave Bittner: [00:02:46] And Engadget reports that Amazon Web Services accidentally exposed GoDaddy information in the course of a sales call with the domain host. Sales staffs take note - this isn't how you become a closer.

Dave Bittner: [00:03:00] Black Hat has wrapped. The event was an occasion of expected hype, but also some introspection by the security sector. The initial keynote by Google's Parisa Tabriz urged those in attendance to commit to the long work of enhancing security by working through fundamental causes, picking well-thought-out, achievable objectives and working toward increased collaboration with those outside the security industry. Tabriz, who leads both Chrome security and Project Zero at Google, offered what amounted to a plea for well-structured, modestly hyped and disciplined engineering. And there did seem to be some introspection going on, albeit mediated by more noise than a state fair's midway.

Dave Bittner: [00:03:43] Curiously, the barkers' pitches in the booths that pack the exhibit floor seemed more modest and introspective than did many of the briefings, which tended toward spectacle and alarmism. The Martians have landed, and the man is out to get you. If there was one theme that emerged from listening to the barkers, who it must be said were often quite interesting, it was that the industry recognizes one of the first principles of North American economic reality. Capital is cheap, and labor is expensive. The solutions they pitched offered to save the users time. That's not simply time to detection or time to response, but the time employees would need to commit to using the solution defending an enterprise or remediating an attack. The solutions on offer also promise that they would de-skill some of the more advanced forms of technical expertise, thereby enabling junior analysts and other personnel to function at higher levels.

Dave Bittner: [00:04:41] Artificial intelligence was, as expected, very much a presence on the floor at Black Hat. The vendors offering artificial intelligence and machine learning were too numerous to count. There was some healthy skepticism about the larger and more extreme claims for AI. We stopped by one of the leading AI security firms, Cylance, well-known for its commitment to using artificial intelligence and security solutions, and asked if they would claim complete detection of unknown threats with mathematical certainty. Their quick, direct, reassuring and justifiably irritated answer was, of course not. No one can do that. It's impossible. But that AI has considerable utility and security seems beyond question, perfect insight and omniscient detection aren't preconditions of usefulness.

Dave Bittner: [00:05:29] One vendor that wants very much for people to understand why algorithmic certainty is impossible with respect to detection is Comodo. They were keen to explain that detection of unknown threats is a formally undecidable problem, a fact they think is insufficiently appreciated. Their alternative to what they would describe as naive and dangerous reliance on machines is default deny protection coupled with default allow usability.

Dave Bittner: [00:05:56] This morning, Comodo issued what it calls a Zero-day Challenge, inviting AV users, end-point security vendors and others to submit any malware sample of their choice. The company will run it through its Valkyrie Verdicting engine to see if the samples pass through. Comodo promises to publish Valkyrie's failures, as well as its successes. The company's CEO, Steve Subar, views the challenge as a contribution to cutting through what he sees as industry hype. He also sees it as a contribution to better, more transparent testing of tools and services.

Dave Bittner: [00:06:32] The Russian government is bracing for U.S. sanctions and has promised retaliation in kind. The U.S. sanctions are directed first against Russian breaches of chemical weapons treaties in the Novichok incident, which Russia denies, and second, against selection meddling. The second class of sanctions, which Russian sources suggest the Kremlin thinks are soon to be tightened by the U.S. Congress, appears to be the more threatening. Russia also continues to deny election-related influence operations, but few believe that either.

Dave Bittner: [00:07:04] A full-blown series of tit-for-tat sanctions would seem to play into U.S. strengths. It's difficult to see the economic bite Russian measures against the U.S. might have, so there may well be an upsurge in cyber operations against U.S. targets, whatever Moscow might be saying now. South Korea's troubled cyber command is about to undergo reorganization. Seoul's Defense Reform 2.0 plans will rename the organization as the Cyber Operations Command and strip it of its former responsibilities for psychological operations. The Republic of Korea knows it lives in a very rough neighborhood of cyberspace, and it wants a dominant capability there, but it also doesn't want a repetition of the domestic election meddling scandals cyber command had become enmeshed in.

Dave Bittner: [00:07:54] Finally, the PGA was hit with a ransomware attack just before its current gold championship tournament got underway. Investigation and remediation are in progress, but there's widespread speculation that the ransomware used was a strain of BitPaymer. The hoods want their ransom in cryptocurrency. The Register's headline and deck are worth quoting - "Oh, Fore Putt's Sake: Golf Org PGA Bunkered Up by Ransomware Attack Just Days Before Tournament." That's rough, but they were well teed off. If you've been looking for a pun, forget about it. The Register's headline writers have used up the world's supply. Well done, Register.

Dave Bittner: [00:08:40] And now, an open letter from your dedicated SOC analyst. Our team works around the clock, yet we're being flanked on all sides and can't get in front of threats fast enough. If we had a theme song, it would be "The Roof is on Fire." Speaking of fire, each attack is more sophisticated than the last, and our current operations aren't advanced enough to keep up. Our team is already stretched thin, and companies keep poaching our talent pool, affecting our level of tradecraft. We need help and fast. On the metro, I heard an ad from a company called LookingGlass Cyber Solutions. They have, as a service, security solutions built upon 20 years of experience, proper security chops and the infrastructure to support security teams like ours. It's time the good guys scored a point. Learn more at lookingglasscyber.com.

Dave Bittner: [00:09:41] Last night, as the Black Hat conference was winding down, our partners at Terbium Labs hosted a special event featuring a discussion with Russian authors Andrei Soldatov and Irina Borogan. Their latest book is titled "The Red Web: The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries."

Andrei Soldatov: [00:10:01] Our first book, which was published in 2010, was about the Russian security services. But a few years later, by 2011, when we got to the Moscow protests prompted by the Arab Spring to some degree, we realized that new technologies, specifically social media, became a very important thing for the Russian political life. And we decided to look into what is going on with the Russian internet.

Andrei Soldatov: [00:10:31] And as it happens, it was the moment the Kremlin started paying attention to the internet and actually started a huge offensive on internet freedoms. And right since 2012, he got all kinds of things from internet filtering, censorship and advanced surveillance. So actually, the book is a combination of these things - an investigation of how we got to 2015, 2016 in terms of internet freedoms and connectivity and activities of activists and so on, so forth.

Dave Bittner: [00:11:06] So for our listeners here in the United States, how is it different in Russia than it is here in terms of how the surveillance state is run and operated?

Irina Borogan: [00:11:16] You know that here in the United States, your security services have a big possibilities to intercept electronic information and surveil on people because you have the best communications in the world and the best surveillance facilities and also data storage. Russia is a country not so advanced in technical direction. They mentioned that. But this is an assertative (ph) state...

Dave Bittner: [00:11:46] Authoritative state.

Irina Borogan: [00:11:46] ...So the - authoritative state, so the authorities are very interested on gathering information on people, especially on citizens and especially if they are some kind of dissidents or some kind of opposition to the Kremlin or just have another point of view than the Kremlin. So if here in the United States, mass surveillance on place, in Russia, they're talking about targeted surveillance. And the targets are activists, opposition politicians, dissidents and - different opinions than the Kremlin.

Dave Bittner: [00:12:26] Part of what your book covers is the rise of President Putin. Can you describe for us, how did his rise to power parallel how they're doing things when it comes to surveillance and how he chooses to go about that?

Andrei Soldatov: [00:12:39] Yeah, it's actually quite interesting that when Vladimir Putin became the chief of the Russian security service in 1998, that was exactly the moment the FSB got interested in the internet. So we have and had back in the 1990s a system of surveillance that we inherited from the Soviet Union, which mostly dealt with phone lines and regular phones. And, of course, it was very totalitarian because it was mostly actually developed by the KGB, and it was updated, but nevertheless it was still a KGB creature. So what the FSB decided to do in 1998, they decided to apply the same scheme to the internet and back when it was mostly about emails. And Putin as director of the FSB promoted this idea. And despite the resistance. And lots of ISPs - internet service providers - were against it because we were forced to pay for this new equipment. We got lots of protests. Civil society was very against it.

Andrei Soldatov: [00:13:13] But nevertheless, he pushed and we got this legislation already by 1999. And he had the very first meeting with internet providers. Surprisingly, he was quite liberal at this meeting. And he said some good things about internet liberties and freedoms because he saw that these people in the room, they're mostly - their love for him. And so it looks like for years - now, he got his system of surveillance. But nevertheless, he didn't see the internet as a big threat. And it's all changed since 2011, 2012 because the Moscow protests. And Putin got scared, actually, because he believed that the internet - actually, he said that - that the internet was created by CIA. And he still believes this. And he believes that the U.S. State Department is all this - busy with developing a new scheme, ominous scheme to undermine his regime. That's why he introduced a lot of legislation, a lot of repressive things.

Dave Bittner: [00:14:49] Now, for the two of you being journalists in Russia, we hear stories of certainly about journalists being killed, often under mysterious circumstances. I mean, as investigative journalists in particular, is this a concern for you?

Irina Borogan: [00:15:06] Yes. There are a lot of concerns for every honest journalist in Russia so - because the situation is not very favorable of them if you tell - if you tell truth to the people, you're in some kind of danger.

Andrei Soldatov: [00:15:21] It's also about - they might be more subtle, certainly about intimidation and killings. But the problem is that you might be deprived of your access to your audience. For instance, we have our books published in the United States not because we are so - well, obviously, it's a fascinating opportunity. But, of course, a Russian journalist wants to have access to the audience of his country. But in our ways, the only way to get to our audience is to get our book published in the United States and then patiently wait for a translation which could happen and could not happen because now it's up to the Russian publisher who would be brave enough to buy the license and to translate our book into Russian, written by Russian journalists. So it's a tricky scheme, but it sort of gives you a picture of what's going on.

Dave Bittner: [00:16:18] What do you make of what I think we perceive as a puzzling relationship between our own president, President Trump, and President Putin? From your perspective, you know, from the other side of things, how do you interpret that?

Irina Borogan: [00:16:32] It's difficult to interpret because, you know, the last meeting was so surprising for us because Trump showed himself as quite weak, and Putin demonstrated that he is in power. So it was tricky. And for me, it seemed like - it seems like Putin really has some compromising materials on Trump.

Andrei Soldatov: [00:17:01] And also, to be honest, we tracked these things back in 2006 - 2016 when you got the election compromised by hackers. And it was absolutely clear from Moscow that Trump was a kind of favorite candidate for the Kremlin. On Russian TV everywhere, Trump was promoted, and Hillary Clinton was attacked all the time. But to be honest, it looks like it was - they slightly overdid it anyway because nobody actually believed back in 2016 in Moscow that Trump could be the next president. What they tried to do, they tried to weaken Hillary Clinton. And it looks like they overdid it. And to be honest, when after that, I had some conversations with some officials from the Kremlin, and they told me that quite frankly they would prefer now Hillary Clinton because she's much more predictable, even for Moscow.

Dave Bittner: [00:17:53] You know, that's a really interesting insight. For the average citizen in Russia, what is their perspective on privacy and their relationship with the internet?

Andrei Soldatov: [00:18:04] We try to promote the idea that you need to care about your privacy. And to be honest, it was a disaster for many years. We tried and tried and tried, and we had some events in Moscow. And you might get in a room maybe 12 people, maybe 10 because people are not really interested. But then the Kremlin made a huge mistake. They did two things, First, they banned one of the biggest websites where you can share videos for free. And you got a number of Russian users of Tor network skyrocket into the position No. 2 in the world actually.

Andrei Soldatov: [00:18:42] And then they tried to block Pornhub. That was a huge mistake. And we got the first position actually. So now if you check the number of users of Tor in the world, well, it was first the United States took up the first position, now it's Russia. So finally, they got this message that they should care about privacy. They should care about circumventional (ph) tools. And they should care about secure messengers. So now it's getting more and more popular.

Dave Bittner: [00:19:14] Yeah. That's fascinating that the blockage of Pornhub provided a powerful motivator for people to learn how to use privacy-enhancing tools.

Andrei Soldatov: [00:19:23] Yes.

Irina Borogan: [00:19:24] That was - before this moment, we were desperate because average people didn't feel any interest to privacy online. And it was impossible to explain to them that these things does matter. But after that, they need access to Pornhub and to other information and start using circumvention tools - that was great.

Dave Bittner: [00:19:47] Our thanks to Andrei Soldatov and Irina Borogan. Their book is "The Red Web: The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries." Special thanks to our friends at Terbium Labs for hosting the event and coordinating the interview.

Dave Bittner: [00:20:08] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course, but nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms. And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out their report "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire, and we thank Cylance for sponsoring our show.

Dave Bittner: [00:21:06] And that's the CyberWire.

Dave Bittner: [00:21:07] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsors, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE intelligence. Learn more at vmware.com.

Dave Bittner: [00:21:32] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.