ArchiveCyberOODA Original

Cyber Threat Analysis Report Volume 1, Edition 3

Cyber Threat ‘Wider Than Ever’

The cyber threat is “wider than ever” and encompasses serious aggressors abroad, notably in China and Russia, David L. Bowdich, deputy director of the Federal Bureau of Investigation, told several hundred representatives from academia, private industry, and law enforcement. “We’re worried about a wider-than-ever range of threat actors, from multi-national cyber syndicates to nation-state adversaries; we’re concerned about a wider-than-ever gamut of methods, from botnets to ransomware, and from spearfishing to business email compromise. We’re seeing these diverse threats in almost every company, at almost every level.”

No, no its not. Only people with no sense of history would say such a thing. That, or its that classic DC routine of saying whatever you think will resonate in order to get more money and authority. The KGB was using proxies to steal U.S. government secrets 30 years ago: sound familiar? 20 years ago there were far more threat assessments written on non-state cyber threat actors than nation states (and there were plenty of the latter as well). Fraud, semantic attacks, preparation of the battlespace, all nearly as old as the ‘Net itself, and don’t let anyone tell you otherwise.


NSA Releases Security Research Tool But Can You Trust It?

In recent years it has become almost commonplace for leaked National Security Agency (NSA) hacking tools to hit the headlines thanks to being used in attacks such as WannaCry, NotPetya and even the Democratic National Committee (DNC) email breach during Hilary Clinton’s U.S. election campaign. But now the NSA has released an open-source, reverse-engineering, hacking tool, called Ghidra into the public domain itself. The question is, would you trust a security tool developed by spooks?

Hackers can’t have it both ways. On Monday the NSA is not doing enough to protect the nation, on Friday they’re trying to root our boxes with their so-called RE tool that’s probably totally a back door. To paraphrase Freud: sometimes software is just software.


What’s a ‘national security system’?

An intergovernmental committee is redrafting the definition of “national security system,” which currently mainly encompasses classified or sensitive government networks in the intelligence and military worlds. One key NSA official believes it should include more of the nation’s critical infrastructure — a step that could potentially lead to an altered federal government role in protecting those assets. The current definition is “many, many years old” and doesn’t account for the expanded scope of cyber in modern life.

Fixing the goose doesn’t address issues with the gander. Expanding or enhancing the definition doesn’t help if laws and policies that rely on the definition aren’t changed as well. The blunt instrument that is 18 USC 1030 is a great place to start. Does this set the stage for potential government overreach? Certainly. Will it do anything to improve security? Not in a meaningful timeframe. Mandates, absent resources, are flash over substance; ‘what we know how to do’ vice what might make a difference. Fixing the personnel problem is hard, creating thinking and novel solutions are hard, updating the Federal Register is easy.

More on Microsoft Botnet Takedowns

In Microsoft’s legal battles over botnets and against the Russian government-linked hacking group known as Fancy Bear, the company has notched: 19 completed botnet takedowns; 500 million devices rescued; 15 received court orders transferring Fancy Bear domains to Microsoft; and more than 90 domains transferred from Fancy Bear. But Tom Burt, Microsoft’s corporate vice president for customer security and trust, said the company needs to do more than just that on botnets, because alone it’s just “whack-a-mole.” He said: “It’s painful for them. It takes years to get infected devices. It takes time and investment. They’re not happy about it, but they’re still out there because there are hundreds of millions of dollars to be made.”

If you’re not working at scale, what’s the point? Some decry botnet takedowns as a waste of time because replacements are up before the ink on the press release is dry. They’re missing the point: done frequently enough, takedowns begin to impact the economics of botnets. 19 takedowns is a marked difference from just a few years ago, when they were occuring in the single digits annually. The response is never as fast as you want it to be, but the more participants that can be drawn into the effort, the more frequent and rapid they will come. While botnets might never fully go away, if we can relegate them to nuisance status, that’s a win.


Could Venezuela’s Power Outage Really Be A Cyber Attack?

As Venezuela endured one of its worst blackouts in recent memory this week, the government repeatedly claimed the widespread outage of power, phone and internet was due to a foreign cyberattack attempting to unseat its president. Timing such an outage to occur at a moment of societal upheaval in a way that de-legitimizes the current government exactly as a government-in-waiting has presented itself as a ready alternative is actually one of the tactics outlined in 2015.

How could we say otherwise? This is what happens when you play fast and loose with definitions and let FUD rule the day. Anything that looks and quacks like an attack might as well be given how few facts are actually released by victims. We’re the nation with a cyber command and can’t stop talking about ‘defending forward;’ why wouldn’t you be able to reasonably attribute what befalls you to el gran satanas? No Kremlinology here, just a reminder that the sword we wield is double-edged.


Shuttering of NSA surveillance program emboldens privacy groups

The potential end to a controversial National Security Agency phone records collection program is energizing privacy groups and lawmakers who have long called for stricter limits on domestic surveillance powers. Some privacy activists say these recent developments have strengthened their hand as they prepare to make their case on Capitol Hill, where they’ll argue that elements of the USA Freedom Act — Congress’s response to former NSA contractor Edward Snowden’s bombshell disclosures in 2013 — should not be reauthorized. “[Privacy activists] always have thought that the program should end, that there was no basis for it, but it’s even easier to make that decision because it’s been defunct for the past six months,” Daniel Schuman, policy director at privacy group Demand Progress, told The Hill.

SIGINT 101: go to where the data is. Intelligence collectors and privacy advocates can finally agree on one thing: programs of no value shouldn’t be used. Unfortunately, there is no argument, no matter how informed the speaker, that will convince some that ubiquitous computing and perpetual connectivity requires eternal vigilance. To the extent that risk is the price we pay for living in a free country, the government would in fact be negligent if it were not actively working to detect and counter threats to her citizens. Privacy is not absolute, and I doubt any private entity critics trust with their data go to the lengths the government does to prevent abuse. Feds have in fact paid a price for privacy violations; I’m not aware of any Facebook or Yahoo employees who have suffered similar fates.


Equifax Was Aware of Cybersecurity Weaknesses for Years, Senate Report Says

The U.S. credit reporting agency announced in September 2017 that it fell victim to a data breach that was later confirmed to have been the result of successful exploitation of a publicly disclosed Apache Struts vulnerability that the company had been warned about but failed to properly patch. The attack on Equifax started in May, but was only detected in July, despite thousands of queries sent by threat actors to the company’s databases during that time. A December 2018 report from the House of Representatives’ Oversight and Government Reform Committee Republicans blasted the company for its poor security practices, and the new U.S. Senate report does that once again, while also providing some more details on Equifax’ failures regarding the incident. According to the report (PDF), Equifax was aware of security weaknesses in its systems for two years, but failed to properly address them. The critical vulnerability that led to the data breach was patched only months after being publicly reported.

Woulda, coulda, shoulda. What if they had paid more attention to cybersecurity? We have no idea and such reflection is a waste of time. Equifax made $3.36B in 2017, so the pre-breach math that determined that it made more sense to continue with business as usual rather than invest even a fraction of the $28M its cost the company to date holds up. No one, not even security companies, are in the security business, they’re just in business.


Research Firm Offers $3 Million for iOS, Android 0-Days

Vulnerability research firm Crowdfense has launched a new 0-day acquisition program and is promising payouts of up to $3 million for full-chain, previously unreported exploits.  Last year, the company ran a $10 million bug bounty program that it says was very well perceived, and which also included free high-level technical training sessions that hundreds of vulnerability researchers around the world benefited from.

Your regular reminder that the opposition is just as professional as you are, and doing a better job of aligning incentives.

Facebook Plans Makeover as Privacy-Focused Network

CEO Mark Zuckerberg published a lengthy post detailing the company’s shift from open platform to privacy-focused communications. Zuckerberg thinks the future of communication is in private, encrypted services, and he’s adjusting the company’s historically open platform to reflect it. The post reflects efforts by Facebook to readjust following a turbulent few years under the spotlight, which has caused many users to distrust the social networks’ use of their data and led to several legal battles. It remains to be seen whether these promises will become reality.

There is no historical precedent to indicated that any of these musings will actually be realized. One good indicator that it might happen: chatter about how the service will no longer be free. When personal information can no longer be commoditized without permission, revenue has to come from somewhere.

Forrester: Ransomware Set to Resurge As Firms Pay Off Attacks

Ransomware may be poised to return as a top scourge for companies, as more and more of them pay up after an attack in an effort to minimize the cost of recovery. That’s just one insight gleaned from an interview at RSA Conference 2019 last week with Josh Zelonis, senior analyst at Forrester Research. According to Zelonis, ransomware attackers often share information about their attacks and which companies are vulnerable. A new trend of victims paying off the ransoms could reverse the wane in ransomware attacks that has been seen in the last year or so, he said.

Create a sound backup scheme and test it. Store copies off-line. Store and process no more data than you need to. They can’t delete what they can’t reach, and they can’t steal what isn’t there. The solution to ransomware isn’t some sexy security solution, its basic, un-glamorous, system administration.


Attack on Software Giant Citrix Attributed to Iranian Hackers

Software giant Citrix on Friday revealed that its internal network had been breached and the attackers may have stolen business documents. The company said it was informed by the FBI on March 6 that its systems had been breached by “international cyber criminals.” Citrix has launched a forensic investigation and it has taken action to secure its network. Resecurity representatives told NBC News that the attackers may have been lurking inside Citrix’s network for the past 10 years.

Not that kind of computer nerds. We don’t have any idea how much Citrix spent on cybersecurity, but we know it was just below the threshold that would have allowed it – and not outsiders – to determine it had been breached. Cybersecurity is not the issue we as practitioners think it is, and that’s OK if those involved are prepared to accept the associated risk. The costs associated with the breach aren’t available yet, but as we saw with the Equifax breach above (and others), it will probably not be enough to make the powers that be make it rain in the CISO’s office.


Cisco Publishes Annual CISO Benchmark Study

A new survey of senior security leader attitudes and practices concentrates on ‘anticipating the unknowns’. Cisco’s 2019 CISO Benchmark Study has one great strength: It queried more than 3,200 senior leaders with a CISO role (if not title) from 18 different countries. The results are a mixed bag. Deteriorating viewpoints are most visible in the questions on machine learning (ML), artificial intelligence (AI), and automation. Each of these questions shows a decline in reliance over the last year — and in terms of this survey, quite dramatic declines. Reliance on ML is down from 77% to 67%; on AI from 74% to 66%; and automation from 83% to 75%. These three subjects are the holy cow of contemporary cybersecurity — dozens of start-up vendors focus on machine learning solutions, while nearly all existing vendors have developed or are developing ML-based solutions.

When you’re talking to customers its ML; when you’re talking to investors its AI. While promising technologies, the worlds of ML and AI are filled with FUD. It’s hard to determine who is making progress and who is actually a (dozen) (wo)men behind the curtain doing the math the hard way. The shame of it is ML and AI are the most likely ways we can have an impact on both speed and scale, putting defenders on equal footing, or nearly so. If we can’t cut through the nonsense now, it will set us back another five years as the stank of failure fades and a new crop of decisions-makers open up to the idea that there are an increasing number of things machines can do better than people.


NASA’s Cybersecurity Program Gets Failing Grade

The U.S. National Aeronautics and Space Administration (NASA) has again failed to implement an efficient cybersecurity program, according to a review by the NASA Office of Inspector General (OIG) for the fiscal year 2018. Based on the analysis of NASA systems and interviews with the agency’s representatives, the OIG has assigned a Level 2 maturity rating to the organization’s cybersecurity program for a second year in a row. NASA cybersecurity program reviewed. FISMA defines five levels of maturity: Level 1 (Ad-hoc), Level 2 (Defined), Level 3 (Consistently Implemented), Level 4 (Managed and Measurable), and Level 5 (Optimized).

No change is not retrograde. That seems like a low bar, but then in an outfit as large and complicated as NASA, what did we expect? That they apparently know what needs to be done is considerably more advanced than a lot of organizations, whose CEO’s operate like they read about cybersecurity in the in-light magazine and mandated that everyone ‘needs to get them some of that’. Having said that, NASA’s cybersecurity shortcomings have been in the headlines for at least 20 years, which if this were the Apollo program would mean we should expect to put a man on the moon at some point in 2041. For a science-driven organization, having a bias for action exposes one to accusations of anti-intellectualism. But sometimes not doing something is not the safest course of action.


NSA, DHS Call for Info Sharing Across Public and Private Sectors

If money were no object, and you didn’t have to worry about bureaucracy or politics, what would you have your organization do to make a difference in the public-private sector discourse on cybersecurity? “The thing I’d love to be able to do is share in real time,” said Neal Ziring, technical director for the National Security Agency’s Capabilities Directorate. Ziring explained how if policy were not an issue, he would want to take NSA’s foreign intelligence and turn it into actionable warnings in real time. “That’s not easy. We’re trying to work in that direction,” he said, adding that there are “considerable policy obstacles to that right now.”

What about the 99%? Sharing and public-private partnerships are not the solutions we keep hoping they’ll be. They are far from equitable arrangements, and are effectively useless to the largest segment of the economy, which faces the same threats, with less talent, knowledge, and resources. If you’re a major bank that spends tens of millions a year on cybersecurity then the FS-ISAC is a great deal; not so much if you’re a local credit union. The sooner we shift focus to factors related to time (detection, response) and scale (helping everyone, not just those who can afford it), the better off everyone will be, not just the 1%.


U.S. Navy under cyber attack from Chinese hackers and hemorrhaging national security secrets

An internal U.S. Navy review concluded that the service and its various industry partners are under cyber attack from Chinese hackers who are building Beijing’s military capabilities while eroding the U.S.’s advantage. Chinese hackers have repeatedly hit the Navy, defense contractors, and even universities that partner with the service. “We are under siege,” a senior Navy official told The Journal. “People think it’s much like a deadly virus — if we don’t do anything, we could die.” Breaches have been “numerous,” according to the review. While China is identified as the primary threat, hackers from Russia and Iran have also been causing their share of trouble.

Another day that ends in Y. All the effort and expense associated with building our Navy is also building the PLAN. Why? Myriad reasons, but the desire for functionality over security is undoubtedly a major contributor. That more sophisticated physical capabilities requires ever more complex technical systems underneath is another. What self-respecting member of Congress is going to let their district miss out on their share of the largess of the military-industrial complex (supply-chain risks and trust relationship failures)? There was a time when the Pentagon actually built things and wasn’t just a big procurement shop. Then again, the threat was ‘loose lips’ not ‘promiscuous routers.’


Facebook and Instagram are officially back and blaming server configuration change for outage

Facebook blamed a massive outage that stretched into Thursday morning on a server configuration change. The world’s largest social network said it has resolved the issue, which affected millions of Facebook, Instagram and WhatsApp users starting Wednesday. “We made a server configuration change that triggered a cascading series of issues. As a result, many people had difficulty accessing our apps and services,” Facebook said in a statement. “Our systems have been recovering over the last few hours.”

Resilience: the yang to security’s ying. In everyone’s rush to attribute outages to malice, they forget that a failure in a sufficiently complex system is far more likely to be attributable to fat fingers. Its OK for systems to fail, as long as they’re designed to fail in a graceful fashion. This is an increasingly important distinction that should be accounted for in the design phase, especially for technology destined for critical infrastructure, or implantation.


Beto O’Rourke belonged to a hacker group in the late 1980s

Beto O’Rourke, current presidential candidate, was once “Psychedelic Warlord,” member of the Cult of the Dead Cow hacker group in the late 1980s, according to Joseph Menn in Reuters. He acknowledges using cracked software and tricks to obtain free long distance phone calls, and credits Cult of the Dead Cow for his understanding of technological issues and his desire to see a free and open internet, including his stance in favor of net neutrality.


This is not the bona fides you’re looking for. We all long for a political leader who doesn’t think of the internet as a series of tubes. While being a part of a hacker crew sounds appealing, it clashes with the very (relatively?) deliberative process that has served us so well for so long politically. Rebels sound attractive, but then comes the actual task of governing, which is hard enough if you didn’t have 535 people who thought they could do your job. Curiosity? Great. Breaking rules you don’t agree with…haven’t we had enough of that already?


Michael Tanji

Michael Tanji

Michael Tanji spent nearly 20 years in the US intelligence community. Trained in both SIGINT and HUMINT disciplines he has worked at the Defense Intelligence Agency, the National Security Agency, and the National Reconnaissance Office. At various points in his career he served as an expert in information warfare, computer network operations, computer forensics, and indications and warning. A veteran of the US Army, Michael has served in both strategic and tactical assignments in the Pacific Theater, the Balkans, and the Middle East.