Following K3chang. Bulgarias tax agency breach. An alternative currency gets some incipient regulatory scrutiny. Why towns are hit with ransomware. A hair-care hack.
Ca Chang is out about and more abrasive than ever data breached at Bulgaria's National Revenue Agency has turned up online and at least one hacker forum facebook's planned libra crypto currency received close scrutiny in tepid reception on Capitol Hill This Week Mc soft offers some common sense reflections on why local governments are attractive ransomware targets. Please patch blue keep and my interview with Richard Clarke Co author author of the new book the fifth domain. It's time to take a moment to tell you about our sponsor recorded future. You've probably heard of recorded future. The real time time threat intelligence company their patented technology continuously analyzes the entire web to give Infosec analysts unmatched insight into emerging threats we subscribed to and read their cyber daily. They do some of the heavy lifting and collection and analysis that frees you to make the best informed decisions possible for your organization sign up for the cyber daily email and everyday you'll receive the top results for trending technical indicators that are crossing the web cyber news targeted industries thread actors exploited. It'd vulnerabilities malware suspicious I._p.. Addresses and much more subscribed today and stay ahead of cyber attacks go to recorded future dot com slash cyber wire to subscribe for free threat intelligence updates from recorded future. It's it's timely it's solid and the prices right and we thank recorded future for sponsoring our show funding for this cyber wire podcast is made possible in part by extra hop providing hiding cyber analytics for the hybrid enterprise learn more about how extra help reveal X. enables network threat detection and response at extra hop dot com from the cyber wires studios at data tribe. I'm Dave Vitner with your cyber wire summary for Friday Friday July nineteenth two thousand nineteen he said reports on recent activity of Ca Chang and elusive threat group engaged in cyber espionage most of Ca- Chang's recent targets have been in Slovakia Belgium Chile. Eh Guatemala and Brazil e said studiously avoided attributing Ca Chang but they do observe that since its discovery by fire I in twenty thirteen Ca Chang has been associated with China. The recent campaign show improved approved back doors and greater evasiveness in Miters Threat Group taxonomy Ca Chang is also known as a P._T.. Fifteen and sometimes as Vixen Panda or playful dragon hacked Bulgarian tax information nation has begun turning up in various discreditable hacker online neighborhoods Z._d.. Net says that the person who posted it a gentleman going by the name institute Killa obtained it from download link carelessly displayed by a Bulgarian television news report report insecure crowd source to solution to the Password and has now made the data available. He's not worried about doing so. He's a Bulgarian citizen but since he's not the original hacker Mr Killer doesn't feel accountable for anything so he's got that going for him. Maybe but the alleged original hacker has now been identified computing magazine citing Bulgarian sources identifies the suspect as Christine boy cough age twenty. Mr Bykov had been employed by T._e._d.. Security apparently in cybersecurity training roll this is consistent with early reports that said the perpetrator was a white hat pen tester gone bad Bulgarian social media our twitter with talk that some of his students were members of the police cyber squad that collared him so good job teach although it's always better to get an apple on your desk than a set of steel bracelets in two thousand seventeen Mr Boycott had exposed closed in disclosed security issues affecting the country's Ministry of Education which publicly praised him for his efforts. The President episode is therefore a sad come down. The police say that the tax agency Hack wasn't even particularly artful. The seems seems to be figuring in Mr Bykov's defense. His attorney suggests that Mr Bykov was to skillful and resourceful to pulled off what looks like the work of a skid skid or not the data were compromised the way the case has proceeded needed is interesting. Mr breakoff would originally have faced up to five years in prison upon conviction but a letter from Bulgaria National Revenue Agency explained to the justice system that the data they lost wasn't really critical infrastructure and so now a conviction fiction seems likely to bring justifying the national revenue agency isn't really making what the lawyers call an admission against interest here. The agency is itself liable defines over a data-breach. Perhaps his high is twenty two million dollars lers facebook's plans for libra received close congressional scrutiny this week. The concerns are familiar but the regulatory way forward is as wired points out unclear should libra be regulated like a bank and investment meant a contract and how might necessary regulation preserve the decentralisation that makes old coins so interesting in the first place. The Group of seven central bankers are also cool to the notion at least in it's pure buccaneering an unregulated libertarian form. 'em Soft reflects on the recent wave of ransomware hitting U._S.. Local governments the firm suggest that counties in towns are vulnerable because of outdated systems and big attack surfaces over a third of local governments rely on technology. That's at least generation behind the current state of the art and the towns and counties offers so many different public web services that they're inevitably exposed to attack S._C.. Magazine. Zine and others continue to report that hundreds of thousands of devices remain unpacked against blue. Keep do give some thought to patching if not for yourself think of what you're doing to herd immunity and finally as we all learned I didn't elementary school fire is a good servant but a bad master so here's another thing to worry about that wouldn't have occurred to us before hair. Stringers can be hacked now for those of you in the security community who aren't necessarily fashion and forward or especially grooming conscious explain what a hair straight Noor is a hair straight. Nerve is a device that uses heat to texture hair since there's at least a marketing if not always a clearly functional reason to render all sorts of devices smart smart this has now been done to some models of hair straighten her but assuming you wanted a hair straighten her in the first place. Why would you want a smart one well so it could communicate with stuff to maximize your attractiveness? Obviously in this case case naked security has an article describing one high end product the Glamorize her Bluetooth Smart Straight ner which communicates with an associated android glamorize her APP. The problem is that the smart system is easily Hackel as a researcher at pen tests partners has demonstrated you could if you so wished remotely override the glamorize irs temperature setting from toasty but arguably bearable two hundred forty eight degrees Fahrenheit to a super bradberry and Fahrenheit four fifty I five that's hot enough to melt iodine selenium or tin and plenty hot enough to set your house afire sure the hacker would have to be in Bluetooth range. But how hard is that anyway. Dumb smart is perhaps worse than old fashioned dumb think twice before styling your hair with what amounts to a soldering iron besides trust us your hair looks fantastic as it is and now a word from our sponsor known before the experts in new school approaches to defeating social engineering you ever wonder how hackers and con artists no so much about their targets physically. There's more information out there on everyone then. You'd like like to believe there's even a name for it. Open source intelligence. Oh sent Kevin Mitnick no before chief hacking officer can show you what the bad guys can find out about you go to know before dot com slash Oh sent and register for a Free Webinar in our with people who know a thing or two about mind-blowing underground open secrets that you need to know that's K. N. O. W. B. Numeral four DOT com slash O. S. I. N.. T. and we thank no before for sponsoring our show and joining me once again as Yohannes Alrich he's the dean of research at the Sense Technology Institute Institute and he's also the host of the storm cast podcast Yohannes. It's always great to have you back. <hes> you know scanning your network for vulnerabilities is an important part of <hes> irregular cyber hygiene but <hes> you wanted to talk today about <hes> some issues that could come up when you do that. Yes when you're running vulnerably scan so one thing a lot of people are sort of concerned off is like Unintentional Donald Service attacks and such but there's another problem that actually one of our stormcenter handlers Savia ran into a recently and that's the use of credentials in these volubly scans now ev very simple audibly scan what busy just scan unit Verka check what service are exposed the report on that but that's usually all that useful saw what you do. Is You actually provide your water scanning system with credentials it can log into a systems and then find out more detail a what the system may be vulnerable to the tricky part here. Is that in order to do this. The grandchild's being used by Damore bleak scanning systems often have some elevated privileges and an attacker can actually take advantage of these credentials and use them then to attack your system if they're able to intercept a connection that is established a by the vulnerability scanning system so these credentials are typically being sent in the clear. Well really depends if they're being cynically of course then it's easy but in one particular case if you're connecting to S._N._B.. File shares so you have been knows network <hes> you're using S._M._p.. And beat connect to remote systems in this case a you can launch what's known as an N._T._m.. Really Attack Bear the attacker essentially is getting in the middle bit between the wallabies scanning system and target targets system and instead of blamed him off against each other in order to gain access to the system without actually having to break any hashes or actually note any credentials that are being involved in which the solution here what's the best practice just to avoid this well first of all I would not use any protocols that sent credentials in clear text so get the protocols should be avoided anyway. You probably don't even need to log in in using your Wallet Management System Now as far as I'm concerned. It's a little bit more tricky because it's almost on a feature of a some S._M._p.. Versions so you're real solution here is to prevent that entail really attack attack. You should do that by using S._M._p.. Version three and a by enabling S._N._B.. Signing that of course is only possible. If you're using the latest versions of a windows you Huntersville Rick. Thanks for joining us now. It's time for a few words from our sponsor blackberry silence. They're the people who protect our own end points here at the cyber wire and you might consider seeing what blackberry. Blackberry silence can do for you probably know all about legacy antivirus protection. It's very good as far as it goes. Do you know what the bad guys know all about it to it will stop the skids but to keep the savvier hoods hands off your end points. Blackberry silence stinks you need something better. Check out the latest version of silence optics it turns every endpoint into its own security operations center silence optics deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching learning and acting on systems behavior and resources whether you're worried about advanced malware commodity hacking or militias insiders silence optics can help visit silence dot Com to learn more and we thank blackberry silence for sponsoring our show. My guest today is Richard a Clark former former national coordinator for security infrastructure protection and counter-terrorism for the United States under President George W Bush he was appointed special advisor to the president on cybersecurity. He's currently chairman of Good Harbor Consulting. He's the author or CO author of several books the latest of which is titled the Fifth Domain Defending Our country are companies and ourselves in the age of cyber threats. The book is Co authored with Robert Kentucky so the military talks about things as domains land sea air and over the years they added space as the fourth demand now in the last few years the military. I've talked about a fifth domain cyberspace <hes> where they expect cyber war to take place so we're calling this the fifth domain because not just because the book is about Cyber War because it's also about other things that take place every day the in cyberspace <hes> including what happens to you as an individual with happens to corporations <hes>. It's not just about cyber war one of the points who make in the book you say that the next major war will be provoked by a cyber the attack it would leads you to that conclusion well the director of national intelligence they sheared publicly testified <hes> that the Russian government has hacked into the controls of our power grid <hes> and that the Chinese government Chinese military the People's Liberation Army <hes> is capable of controlling <hes> or affecting our controls for natural gas pipelines <hes> that we suggest in the book that creates a situation of crisis instability the where <hes> if there is tension <hes> among nations <hes> people are going look around for Whoa. What how can we do signaling are? How can we do in initial attack <hes> that's not going to end up and killing people and the the answer is going to be cyber? We actually had proof of that. <hes> a few weeks ago <hes> when the Iranians shot down drone on and the United States wanted to retaliate <hes> the normal retaliation package was given into the president in he initially approved and it was the traditional wave retaliating with cruise missiles and bombers <hes> but after a while when they thought about it in the White House they said now we don't WanNa go that far. Let's just start with a cyber attack because it seems easier less bloody less lethal but the problem with cyber attacks is they do destroy things <hes> and they provoke retaliation <hes> and when you get into a cycle of tit for tat retaliation creation ultimately that ends up in Connecticut or conventional war the Pentagon's policy publicly articulated policy <hes> is that if the United States gets hit by a cyber attack from another nation state and if that that attack is sufficiently <hes> destructive that we reserve the right to respond with a Connecticut attack <hes> so we've said publicly cyber attacks on US will not just be responded to with cyber attacks on on you when it comes to testing traditional kinetic weapons you know there's there's there unambiguous if I do a test of a nuclear weapon that capability is clear for everyone to see <hes> but it's different in cyber our end we hear that <hes> nation states are are hesitant to to demonstrate these resources for fear of a burning those resources that revealing them will make them less effective and that's why deterrence doctrine from the nuclear or a dozen port well over to the cyber era <hes> deterrence stock during <hes> Mad Mitchell assured destruction dependent upon people knowing <hes> the both sides had weapons that would work <hes> knowing that those weapons could definitely get through <hes> knowing that those weapons could do a specific amount of damage <hes> and that's not the case in cyber also in deterrence doctrine from the nuclear attribution was not an issue <hes> attribution can be issue with cyber attacks because we now know that the Russians and the Chinese and apparently the Americans <hes> US each other's cyber weapons <hes> to obscure who's doing the attacks <hes> and apparently we've all stolen each other's weapons the certainly nothing like that ever happened in the in the nuclear we never had the Russians running around that the U._S. missile submarine or vice versa <hes> so you're right. We're reluctant to use a cyber weapon because once you've used it other people can figure out how it works <hes> and can build defenses against it <hes> and therefore. We don't want to use a weapon unless we absolutely have to. We can't demonstrate <hes>. <hes> and frankly when we pull the trigger. We can't really be confident. We know how well it will work or what the defenses are. <hes> like. It'll have to overcome so cyber is a different kettle of fish than <hes> every other kind of combat every other kind of war yeah. There's an interesting point you make in the book and <hes> you say that traditionally military strategists <hes> were looking for certainty <hes> and that certainty was aligned with security but on the the cyber domain uncertainty may be something that deters military action it. Can you explain that difference to us well. No military commander wants to attack unless he knows there's a pretty good chance he's going to win <hes> and in the case of cyber <hes> you really don't know when you launch an attack what defenses you're gonNA come up against <hes> do they already know this attack. Technique will lay <hes> allow you in and then shut you down and the fact that we cannot be sure how effective our offensive weapons will be at any given time <hes> means that anybody advising president or a commander <hes> should tell them <hes> hey boss. We don't know <hes> that this GonNa do the job. <hes> that changes things does that run counter to how military leaders are accustomed to thinking. It's entirely counter what they're used to thinking <hes> they have in the past always been able to exercise exercise simulate <hes> have high probabilities of success. <hes> know what the outcome will be cyber award. They're not that sure when president trump took office there was some optimism optimism that cyber-security was going to be a focus you one of his first executive orders was centered on cybersecurity. <hes> how has that played out not well. He initially had a very good guy <hes> running cyber security policy Z. from the White House <hes> the job I had <hes> and that was rob Joyce from an essay very respected nonpartisan guy expert <hes> and John Bolton when he came in as National Security Advisor got rid of <hes> <hes> and didn't replace him with anybody <hes> so the old sort of cyber czar job doesn't exist. There's no one really making policy or implementing policy across the board out of the White House. The same thing happened in the State Department where REX Tillerson came in and <hes> wondered why there were people working on international cyber norms <hes> and got rid of that office they did. I will admit the the trump administration are did write a really good <hes> National Security Policy National Security Strategy for cyber <hes>. I say it's really good because it looks a lot like the one I wrote for Bush but they haven't implemented personally. I I find it helpful in my own mind to use public health as a metaphor for cybersecurity. If you look at the past hundred years of the progress we've made where we made tremendous strides in public health and it's not perfect you can you can wash your hands and and <hes> you know do the basics and still every now and then you're going to get a cold <hes>. Do you find that that that's useful comparison. No no the people are always struggling to explain cyber security in terms of something else that people already understand right <hes> and in the one of the things that you hear a lot from people as well if you just have good cyber hygiene than you wouldn't get hacked and I don't know what the hell out means <hes> I. I don't think anybody really knows what that means. <hes> it's not a matter of good cyber hygiene. It's a matter of spending money <hes> the companies that are spending three and four percent of their I._T.. Budget get hacked the companies that are spending eight to ten percent of their I._T.. Budget on Cybersecurity do not get hacked <hes>. That's nothing about hygiene. It's about money so what what's the take home for the reader the the average person who's going about their their life their day to day here in the U._S. and elsewhere. What's the message you want to send home with them? cybersecurity affects everybody <hes> and everything we do <hes> from whether or not it's safe to go to a hospital <hes> and being strapped up to a a live Egypt machine or heart lung machine <hes> the facts who who gets elected how the election processes work eight could if the we had a bad day <hes> bring down in the airline <hes> or bring down the power grid and it can certainly mess your own personal life up <hes> in terms of credit card theft and other <hes> records <hes> theft <hes> so we have a chapter in the book about <hes> but this means to the individual <hes> <hes> and how what are the things individual can do <hes> to increase their own cybersecurity so individuals should do those many things that can improve their own security but then they should be involved in the public debate to urge corporations they deal with and governments they deal with <hes> to remove the threats <hes> because we know how to do it well. The book is the fifth domain defending our country are companies end ourselves in the age of Cyber Threats Richard Clarke. Thanks so much for joining US great to be with you and we'll be publishing an extended version of my interview with Richard Clarke this Sunday and that's the cyber wire thanks to all all of our sponsors for making the cyber wire possible especially are supporting sponsor observe it the leading insider threat management platform learn more at observant dot com the cyber wire podcast is proudly produced in Maryland out of the startup studios of Data Ada tribe with their co building. Next generation of cybersecurity teams and technology are amazing cyber wire team is Stefan vizier to Mika Smith Kelsey Bond Tim no Dr Joe Kerrigan Carol -Tario Nick Veliky Bennett.