Sharing espionage tools and infrastructure. Speculative execution flaws found in Intel chips. A big Patch Tuesday. CrowdStrike’s IPO. WhatsApp exploitation. Cyber Solarium. Ransomware in Baltimore.

Dave Bittner: [00:00:03] Chinese domestic and foreign intelligence services are cooperating more closely in cyberspace. Another set of speculative execution issues is found in Intel chips. This month's Patch Tuesday was a big one. CrowdStrike files for its long-anticipated IPO. We'll talk WhatsApp, spyware and zero-days. Apple may be required to open its devices to apps from third-party stores. The Cyber Solarium is ready to get started, and Russia offers a helpful hand. And Baltimore continues to suffer from ransomware.

Dave Bittner: [00:00:41] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. According to a recent CA Technologies research report, 53 percent of organizations confirmed insider attacks within the last 12 months. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze computer, network or system data. But to stop insider threats, you need to track a combination of user and data activity. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIT free - no installation required - at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.

Dave Bittner: [00:01:48] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 15, 2019. A single command-and-control server is being shared by a variety of Chinese hacking organizations, including the National Security Commission, police agencies and the Ministry of State Security. Researchers at BlackBerry Cylance found that organizations which normally engage in domestic surveillance, particularly of what Beijing calls the Five Poisons - that is ethnic Uighur Muslims, Falun Gong practitioners, Tibetans, democracy advocates and supporters of Taiwanese independence - share infrastructure and tools with foreign intelligence and security services like the Strategic Support Force and the third party of the People's Liberation Army. The groups are sharing not only command and control infrastructure but also malware tools, notably the one Palo Alto Networks researchers call Reaver. Reaver is most familiar from operations against the unpleasantly named Five Poisons, but it's also turning up in attacks on foreign intelligence targets. BlackBerry Cylance's lesson is that it's time to update TTPs and indicators of compromise.

Dave Bittner: [00:03:02] Another set of speculative execution flaws similar to Spectre and Meltdown has been found in Intel chips. Intel calls the flaws Microarchitectural Data Sampling issues and others, ZombieLoad. As VentureBeat explains, the four vulnerabilities enabled side-channel attacks. Siemens, Apple, Adobe and Microsoft all patched yesterday. Apple's patches addressed, among other things, the ZombieLoad side-channel vulnerability in its products Intel chips. Cupertino wasn't alone in working on ZombieLoad. As TechCrunch reports, Amazon, Google, Mozilla and Microsoft also took on the speculative execution flaw. Intel itself has released a set of mitigations for the vulnerability. Fixes for ZombieLoad are thought likely to degrade CPU performance by 20 to 40 percent.

Dave Bittner: [00:03:53] Microsoft released 16 updates in total, resolving 79 distinct vulnerabilities. One involved a bug that could be exploited by a WannaCry-like worm, and Redmond drew particular attention to this issue. It was judged serious enough that Microsoft patched beyond-end-of-life software, including Windows XP and Windows 2003. Although no longer supported, both remain in wide use.

Dave Bittner: [00:04:20] Siemens addressed issues in its industrial control systems, and Adobe fixed problems with several products, including Acrobat and Reader. Endpoint protection shop CrowdStrike has filed for its long expected initial public offering. The company's S-1 reached the Securities and Exchange Commission yesterday. CrowdStrike intends to raise $100 million in the IPO. The company, a unicorn thrice over, valued at some $3.4 billion at the time of its most recent funding round is not currently profitable, but that's not unusual for unicorns. They may be magical beasts, sure. But profits don't grow on trees in the forbidden forest - even for unicorns. Just ask Hagrid.

Dave Bittner: [00:05:03] NSO Group, the Herzliya-based company whose intercept product Pegasus is said to have shown up in phones via a WhatsApp bug is also, by most reckonings, a unicorn. The company denies having played a role in the targeted use of Pegasus against the various individual users of WhatsApp. Pegasus, the company argues, is a lawful intercept product of the kind that legitimate governments use to fight crime and terror. The company's critics, Citizen Lab and Amnesty International prominent among them, note that Pegasus has been turned up in too many repressive actions for comfort. Amnesty is petitioning a Tel Aviv court to revoke NSO Group's export license.

Dave Bittner: [00:05:45] Some commentary on the WhatsApp affair has drawn scornful reactions in the Twitterverse, particularly a Bloomberg op-ed that appears to suggest that just because end-to-end encryption doesn't prevent the sort of exploit WhatsApp just patched, that encrypted communication tools amount to little more than marketing hype and eyewash. That's surely going too far. End-to-end encryption remains an important privacy and security tool. That it doesn't infallibly protect users is beside the point. Nothing infallibly protects users. Exploits that target secure devices are rare and pricey. Zerodium, the exploit brokers of Montpellier and Annapolis Junction, who revel in a bad-boy image, will pay up to a million dollars for a WhatsApp bug, which suggests that they're not particularly easy to come by. Zerodium, by the way, sells exploits to security, intelligence, and law enforcement agencies, not criminals. Their office locations suggest their probable market. World Password Day has come and gone. And while it may have helped raise awareness of proper password hygiene, the fact remains that passwords are problematic. Thomas Pedersen is CTO and co-founder of OneLogin.

Thomas Pedersen: [00:06:58] Well, passwords continue to be the bane of our existence, and they're pretty hard to get rid of. That's the difference between consumer passwords and passwords in the enterprise. What we have come to focus on is helping manage and eliminate passwords in enterprise. And there are standards that we can use to do that. But on the consumer side, it's still not really better than it was 10 years ago. People still have passwords for all kinds of things. What happens is most peoples - they'll resort to password reuse. And I guess if it's something that's not super sensitive - you know, my Yelp reviews and my old, disabled buggers (ph) - yeah, they're not really - it's not high-risk. But, you know, for my bank account and my card account and my PayPal and so on, I use multifactor authentication. I have a machine-generated password just to make sure that I could never be compromised there, at least - or lose my credentials.

Dave Bittner: [00:07:48] Do you think the word is getting out about that? Do you think people are adopting multifactor and those sorts of secondary security measures?

Thomas Pedersen: [00:07:55] It's getting more traction in the enterprise because more and more companies are aware that they need to have a cybersecurity initiative. But even within the enterprise, it's - we're not even talking about 50% adoption. And on the consumer side, very few people do it. Some - let's say bank applications - they actually do force you to do it. So they will send you an SMS with a one-time password when you sign in from a new browser. That's what my bank does. But there's a lot of thing - places where you don't have to use it. PayPal, for instance - they don't mandate that you use multifactor authentication. It's something you have to opt in for. And the same thing with Facebook and Gmail and so on. And I think that the vendors can do a better job of pushing it, but they also don't want to push people away because - and users don't like it. It's kind of annoying that you have to do it. It's definitely more of a necessary evil. Most people don't know that it even exists. And they don't know what the risk is. So that's why they don't even look into it.

Dave Bittner: [00:08:53] Do you suppose that we could be heading towards a time when we don't need this anymore? I'm thinking of things like - with touch ID and face ID - those sorts of technologies. Are we going to see those shift into more of our day-to-day password use?

Thomas Pedersen: [00:09:05] Yeah, I think it definitely helps. We are getting there slowly. I would say things like face ID and touch ID - they're kind of just masking. There's a couple of applications on my phone that - where I can use face ID, but I still actually do have a password for the app because it also has an online version. And so it's only partially a solved problem on a mobile device because the device is so sophisticated. But even most of the websites - they don't really - they can't work with it right. So it's still just a patch when you look at it more holistically.

Dave Bittner: [00:09:36] Where do you think we're going to head ultimately? Do we have passwords in our future for the immediate future? But will we ever get beyond them?

Thomas Pedersen: [00:09:43] You know, the question's always in the consumer space, who's going to be that trusted identity provider that everybody will use? And I think, for a long time, Facebook was making headway, and I started signing to (ph) a bunch of things with my Facebook identity. But I think over the past couple years, they have lost a lot of credibility, just because they have had so many security issues. And the question is, who is it going to be? Is it going to be Apple or Google? Or will there be multiple identity providers? And I think that's still too early to say. On the enterprise, it's a lot easier because when you work for a company, that company basically owns your corporate identity for as long as you work for that company. So that's what we have made a living out of - to sell data management services for the enterprise. And there, we can pretty much eliminate all the passwords. But the consumer side - it's just still a problem. And I don't see there's any - there's no obvious solution right around the corner.

Dave Bittner: [00:10:36] That's Thomas Pedersen from OneLogin. The U.S. Supreme Court has decided that consumers can sue Apple over prices in its app store. The suit would allege that Apple operates a monopoly that artificially inflates prices. If successful, a suit could require Apple to allow apps purchased from third-party stores to be downloaded to its devices. This may not be a good thing for security. Apple's store has been more rigorous than most at keeping out rogue or sloppy software, and industry observers see the possibility that the decision will tend to relax that rigor. Third-party app stores have been a security problem in the Android ecosystem. The Cyber Solarium, a U.S. deliberative body modeled on the Eisenhower-era group that considered nuclear strategy in the early 1950s, is ready to begin its work. 5G issues figure high among the agenda. The Solarium will have three working groups to address three major aspects of cyber strategy - persistent engagement, deterrence and international norms and standards. And, hey, the U.S. may get help from a country that wants to be partners. According to Sputnik News, Russian Foreign Minister Sergey Lavrov on Tuesday offered a helping hand in cyberspace. The foreign minister said, quote, "I'd like to reiterate that Russia wants to and is ready to cooperate with our U.S. partners in issues relating to the cyberspace. We want to do this on a professional level without emotions, without ideology and politicization." Mr. Lavrov's offer is likely to be coolly received, but maybe it's the thought that counts.

Dave Bittner: [00:12:16] Finally, Baltimore continues to struggle to recover from the ransomware attack it sustained last week. A number of citizen-facing services have been affected. If you're trying to buy a house here in the land of pleasant living, or as Natty Boh beer has taught us to call it, Charm City, you may be out of luck because the city transfer office cannot process deeds or deeds of trust for recordation. The city is also having trouble generating lien certificates and water bills. Its bad batch warnings about street drugs are also down, and that's proving a more serious problem because it affects a matter of health and safety.

Dave Bittner: [00:12:58] Now a moment to tell you about our sponsor ThreatConnect - designed by analysts but built for the entire team, ThreatConnect's intelligence driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms: Everything You Need To Know About Security, Orchestration, Automation and Response." The book talks about intelligence driven orchestration, decreasing time to response and remediation with SOAR and ends with a checklist for a complete SOAR solution. Download it at threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.

Dave Bittner: [00:14:13] And I'm pleased to be joined once again by Malek Ben Salem. She's the senior R&D manager for security at Accenture Labs. Malek, it's always great to have you back. Some of your colleagues there at Accenture recently released a new publication, a technology - a vision publication. Can you describe to us - so what's that all about? And what are some of the take homes?

Malek Ben: [00:14:34] Sure. So the Accenture Technology Vision is a publication that Accenture Labs publishes every year. We monitor emerging trends across businesses. And in this year, one of the main security trends that we've identified is, you know, what the ecosystem-driven business reality implies to security. As you know, companies continue to integrate their core business functions with third parties, with third platforms. So you have entire ecosystems that are forming and shifting industries.

Malek Ben: [00:15:10] Now, threat actors recognize these ecosystems and see them as a widening attack surface, yet most businesses don't see that they're no longer just the victims of cyberattacks, but also they are the vectors of these cybersecurity attacks. So in this ecosystem-dependent business world, which amplifies exponentially the impact of cyberattacks, incidents cripple from one enterprise to another. And one good example of that is, for more than five years, a group of hackers stole insider information about publicly traded companies, not by attacking the companies themselves but by targeting the newswire agencies that get early access to press releases from these large businesses.

Dave Bittner: [00:16:05] Right. News organizations will often get information ahead of time that's under embargo. They agreed not to release it, and these folks got access to that information and used it for profit.

Malek Ben: [00:16:16] Correct. So the question is - how do you respond to this reality, right? Organizations need to change their approach and incorporate security into the collaborative strategies that they use to build their products and services. What that means is they must include ecosystem dependencies as part of their own security posture by updating the way they do threat modeling, for instance. And they need to make security a important component of how they build these partnerships. In this new ecosystem-driven business reality, companies really have opportunities to use their ecosystems to up their cyberdefense game and improve their security posture for themselves, obviously, but also for their partners at the same time.

Dave Bittner: [00:17:10] All right. Well, good information - Malek Ben Salem, thanks for joining us.

Malek Ben: [00:17:14] My pleasure, Dave.

Dave Bittner: [00:17:19] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.

Dave Bittner: [00:17:32] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell. Our staff writer is Tim Nodar; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.