March 15, 2017
This week’s reports on Cybersecurity are dominated by US indictments of Russian spies for 2014 Yahoo hacker attacks; new attacks by pro-Turkey activists on prominent Twitter accounts; China’s evolving Cyberwarfare strategies; and the fall out from last week’s Wikileak releases of CIA hacking tools.
Cyberwarfare among Major Powers
US Justice Department Charges Russian Spies and Criminal Hackers in Yahoo Intrusion
https://www.washingtonpost.com/world/national-security/justice-department-charging-russian-spies-and-criminal-hackers-for-yahoo-intrusion/2017/03/15/64b98e32-0911-11e7-93dc-00f9bdd74ed1_story.html?hpid=hp_rhp-top-table-main_justice-1010a%3Ahomepage%2Fstory&utm_term=.adf9f3890787 – The Justice Department announced the indictments of two Russian spies and two criminal hackers in connection with the heist of 500 million Yahoo user accounts in 2014, marking the first U.S. criminal cyber charges ever against Russian government officials. The indictments target two members of the Russian intelligence agency FSB, and two hackers hired by the Russians. The charges include hacking, wire fraud, trade secret theft and economic espionage, according to officials. The indictments are part of the largest hacking case brought by the United States.
China’s Evolving Cyber Warfare Strategies
http://www.atimes.com/article/chinas-evolving-cyber-warfare-strategies/ – China’s cyber capabilities are continuously evolving in parallel with the People’s Liberation Army’s (PLA) ongoing military reforms and modernization drives. As the PLA invests in the development of comprehensive cyber capabilities, the character of future conflicts in East Asia will increasingly reflect cyber-kinetic strategic interactions.
Related: China’s Internet Censorship Under Fire – But Proposal Against Controls Gets Censored – https://www.scmp.com/news/china/policies-politics/article/2078350/chinas-internet-censorship-under-fire-two-sessions – Two proposals by CPPCC delegates at panel meetings – one which was subsequently censored and another which went unreported on the mainland – have urged the loosening of internet controls and many advisers and lawmakers have spoken out against the restrictions, which have been tightened under President Xi Jinping administration.
Hackers Attack High-Profile Twitter Accounts, Post Swastikas And Pro-Erdogan Content
http://www.huffingtonpost.com/entry/twitter-hack-turkey-swastikas_us_58c8f803e4b01c029d776bde?section=us_technology – Amnesty International, BBC North America, Duke University, Forbes, PBS Food, U-Haul and UNICEF USA were among the verified accounts affected by the hack. At the time of this writing, it’s not known who was behind the hack; however, the hackers may have used the third party service Twitter Counter to access the accounts.
Canada’s forces deployed in Latvia to include ‘cyber warriors’ to counter Russians
http://news.nationalpost.com/news/world/matthew-fisher-canadas-forces-deployed-in-latvia-to-include-cyber-warriors-to-counter-russian-attacks – Canada is to deploy “cyber warriors” to Latvia this June to defend its military computer networks and the information on them from sustained attacks by Russia, as a Canadian-led NATO battle group begins an open-ended deployment to the small, strategically important Baltic nation.
With Claims of CIA Hacking, How to Protect Your Devices
https://www.nytimes.com/2017/03/08/technology/personaltech/defense-against-cia-hacking.html?hpw&rref=technology&action=click&pgtype=Homepage&module=well-region®ion=bottom-well&WT.nav=bottom-well – “The one thing that people can and should be doing is keeping their apps and phones as up-to-date as possible,” said Kurt Opsahl, deputy executive director for the Electronic Frontier Foundation, a digital rights nonprofit. Other than ensuring that you have the latest operating system, Google recommends that Android users protect their devices with lock screens and PIN codes, and to enable a setting called Verify Apps, which scans apps downloaded from outside of Google’s app store for malware.
Related: CIA listed BlackBerry’s car software as possible target https://www.bloomberg.com/news/articles/2017-03-08/cia-listed-blackberry-s-car-software-as-possible-target-in-leak BlackBerry Ltd.’s QNX automotive software, used in more than 60 million cars, was listed as a potential target for the Central Intelligence Agency to hack, according to documents released by WikiLeaks. CIA meeting notes mention QNX as one of several “potential mission areas” for the organization’s Embedded Devices Branch. The same branch also worked with U.K. spy agencies to develop tools to break into Apple iPhones, Google’s Android system and Samsung smart TVs, according to some of the 8,761 documents WikiLeaks posted on March 7.
China expresses concern at revelations in Wikileaks dump of hacked CIA data
http://www.reuters.com/article/us-cia-wikileaks-china-idUSKBN16G128 – Dozens of firms rushed to contain the damage from possible security weak points following the anti-secrecy organization’s revelations, although some said they needed more details of what the U.S. intelligence agency was up to. Widely-used routers from Silicon Valley-based Cisco (CSCO.O) were listed as targets, as were those supplied by Chinese vendors Huawei [HWT.UL] and ZTE (000063.SZ) and Taiwan supplier Zyxel for their devices used in China and Pakistan.
How do you frustrate a CIA hacker? Show them Chinese: by Stephen Chen in South China Morning Post, Mar 9, 2017
http://www.scmp.com/news/china/policies-politics/article/2077179/how-do-you-frustrate-cia-hacker-show-them-chinese – Chinese software engineers have the habit of inserting Chinese text into source code to aid their memories and communicate with colleagues. This can cause unexpected obstacles for foreign attackers. Tang said the WikiLeaks document also confirmed the suspicion that the CIA and other US government agencies had recruited a number of Chinese-speaking hackers to assist in and accelerate China-related operations.
The WikiLeaks CIA release: When will we learn? – https://theconversation.com/the-wikileaks-cia-release-when-will-we-learn-74226 – Ultimately, as a society, we must continue to debate the trade-offs between the conveniences of modern technologies and security/privacy. There are definite benefits and conveniences from pervasive and wearable computing, smart cars and televisions, internet-enabled refrigerators and thermostats, and the like. But there are very real security and privacy concerns associated with installing and using them in our personal environments and private spaces.
New Vulnerabilities Found
Malware Found Pre-installed on Dozens of Android Phones
http://www.technewsworld.com/story/Malware-Found-Preinstalled-on-Dozens-of-Android-Phones-84369.html – Malware has been discovered preinstalled on 36 Android phones belonging to two companies, security software maker Check Point reported on March 10. The malicious apps on the phones of a telecommunications company and a multinational technology business were not part of the official ROM supplied by the vendor, he explained. They were added somewhere along the supply chain. Supply chain attacks like the one discovered by Check Point pose a serious problem to any consumer who receives such a phone. “In a scenario like this, the only method to protect yourself from this threat would be to scan the phone right out of the box,” said Troy Gill, a senior security analyst with AppRiver.
Cybersecurity Experts Easily Infiltrate Energy Companies’ Networks
http://www.houstonchronicle.com/business/article/Put-to-the-test-cybersecurity-experts-easily-10989830.php?t=0400f1191b – From the mines of Chile to offshore platforms in the Indian Ocean to refineries in the United States, Jim Guinn has hacked just about every kind of energy facility. “There’s not a refinery, power generation facility, oil terminal or platform that doesn’t have technology on it that we haven’t been able to infiltrate,” said Guinn, global cybersecurity leader for energy at Accenture Security consulting in Houston.
Final Report of the US Defense Science Board Task Force on Cyber Supply Chain
http://www.acq.osd.mil/dsb/reports/2010s/DSB-CyberSupplyChainReport-Final.pdf – The Report recommends expanding cyber supply chairn exercises in the Military Services to address warfighter challenges while also improving program protection practices over the lifecycle of weapon systems. It also recommends that the Department develop a long-term strategy for access to state-of-the-art commercial foundry capabilities that does not rely exclusively on trust; and continue R&D investments of DoD agencies for a technology-enabled strategy that fosters new tools to better defend against cyber supply chain attacks.
Preventive Measures
UK’s Terrorism Reinsurance Fund Wants to Extend its Cover to Include Cyberattacks on Property
http://www.homelandsecuritynewswire.com/dr20170314-cyberterrorism-threat-must-be-addressed-pool-re-s-chief – Pool Re, the U.K.’s $7.3 billion terrorism reinsurance fund, wants to extend its cover to include cyberattacks on property, chief executive Julian Enoizi said. Pool Re is financed by the insurance industry with government backing, and pay outs depend on the British government determining that an attack was terror-related.
Misaligned Incentives, Executive Overconfidence Create Advantages for Cyberattackers
https://www.mcafee.com/us/resources/reports/rp-misaligned-tilting-playing-field.pdf – Intel says that the report, based on interviews and a global survey of 800 cybersecurity professionals from five industry sectors, outlines how cybercriminals have the advantage, thanks to the incentives for cybercrime creating a big business in a fluid and dynamic marketplace.
A Normative Approach to Preventing Cyberwarfare
http://www.atimes.com/normative-approach-preventing-cyberwarfare/ – At last month’s Munich Security Conference, Dutch Foreign Minister Bert Koenders announced the formation of a new non-governmental Global Commission on the Stability of Cyberspace to supplement the UN Group of Governmental Experts – or GGE. The GGE’s reports in 2010, 2013, and 2015 helped to set the negotiating agenda for cybersecurity, and the most recent identified a set of norms that have been endorsed by the UN General Assembly. But, despite this initial success, the GGE has limitations. A more fruitful approach to normative controls on cyberwarfare may be to establish a taboo not against weapons but against targets. The US has promoted the view that the Law of Armed Conflict (LOAC), which prohibit deliberate attacks on civilians, applies in cyberspace. Accordingly, the US has proposed that, rather than pledging “no first use” of cyber weapons, countries should pledge not to use cyber weapons against civilian facilities in peacetime.
Software Patches
Uber seems to Prevent Use of Greyball to Thwart Regulators
https://www.nytimes.com/2017/03/08/business/uber-regulators-police-greyball.html?hpw&rref=technology&action=click&pgtype=Homepage&module=well-region®ion=bottom-well&WT.nav=bottom-well – The ride-hailing service Uber said on Wednesday that it would prohibit employees from using a program called Greyball to thwart regulators.Uber’s new policy pertaining to the use of Greyball, a tool the company developed to show individual riders different versions of its app, comes in the aftermath of a New York Times article that outlined how the company had used the tool to identify and avoid local regulators who were investigating the service.
Microsoft’s Patch Tuesday Returns
https://threatpost.com/patch-tuesday-returns-microsoft-quiet-on-postponement/124309/ – Patch Tuesday returned today as expected after last month’s postponement with a giant release of fixes that includes patches for vulnerabilities disclosed and exploited since the last set of updates in January. Among today’s 18 security bulletins, eight were rated critical, including separate bulletins for Edge and IE that patched the two Google-disclosed bugs.
SAP Patches Critical Hana Vulnerability That Allowed Full Access
https://threatpost.com/sap-patches-critical-hana-vulnerability-that-allowed-full-access/124278/ – SAP patched a series of critical vulnerabilities in its cloud-based business platform HANA today that if exploited, could allow for a full system compromise without authentication. SAP HANA, an in-memory database, has been increasingly targeted by hackers over the last year; the management system is primarily used to store, retrieve, and process core business data.
“Lip Password” uses a Person’s Lip Motions to Create a Password
https://www.homelandsecuritynewswire.com/dr20170314-lip-password-uses-a-person-s-lip-motions-to-create-a-password – The use of biometric data such as fingerprints to unlock mobile devices and verify identity at immigration and customs counters are used around the world. Despite its wide application, one cannot change the scan of their fingerprint. Once the scan is stolen or hacked, the owner cannot change his/her fingerprints and has to look for another identity security system. Researchers have invented a new technology called “lip motion password” (lip password) which utilizes a person’s lip motions to create a password.