Going Cyber Nuclear, Underestimating Iran and Free NSA Tools

CyberWeekly Edition

Cyber Nuclear

FireEye CEO Kevin Mandia opined recently about the growing cyber arms race, stating “the rules of engagement have broken.” This seems true as the international community has yet to define cyber warfare. While a clear cut definition remains a bit ephemeral, the world has undoubtedly experienced at least low-levels of cyber warfare in recent years. What should governments do, if this cyber Cold War ever ignites into a hot war?

The obvious answer is that governments need to come together and agree to a digital Geneva Conventions. However, governments—particularly truly global players like the US, Russia, and China—like to approach negotiations from a position of strength. Thus it wouldn’t be surprising to see them focus on obtaining “cyber nuclear weapons” before they focus on treaties.

In this instance, by “cyber nuclear weapons” we mean a mechanism to cut off a country from the Internet, when under dire attack. Admittedly, it’s unclear if this feat is possible. It has been well publicized that Russia intends to create a “sovereign network,” which it can unplug from the rest of the world. This attempt to create and raise digital drawbridges is to be exercised later this year. Will it work? We’ll see. If Russia’s attempt does work, it will change the game… and many countries will prepare similar defenses.

As opposed to actual nuclear weapons, these “cyber nuclear weapons” truly seem defensive in nature. They do however have the potential a creating a less international and collaborative internet. Maybe possessing them will bring cyber national powers to the treaty table.

We’ll all be better off if something does.

Underestimating Iran?

Are we underestimating Iran as a serious cyber threat actor? The Hill recently posed that question and I think it’s an interesting one. While the US intelligence community named Iran along side Russia, China and North Korea as global cyber threats in its 2019 Worldwide Threat Assessment, it kind of felt like Iran was an add on. If I’m not an oil and gas company or a rival Middle Eastern power, how much do I really need to worry about Iran?

The work of Iran-nexus threat actors has been described as noisy and lacking operational security. However, recent DNS hijacking—linked to Iranian threat actors—may represent Iran’s graduation to a real global player. The campaign may single-handedly force DNS providers to finally adopt the security protocol DNSSEC after 20 years. A threat that dissolves that kind of malaise is notable.

It’s worth keeping in mind that in addition to regional prowess, Iran likely seeks global influence. Cyber espionage is like asymmetric warfare (which Iran has plenty of experience with in Syria, Lebanon, and Iraq). It allows force projection with minimal assets at risk.

It’s an effective tool for Iran’s national goals. Thus we’ll likely see Iran invest more energy into their cyber capabilities and increased maturity of Iran-nexus threat actors.

Cybercriminals’ Favorite Targets

It popular to imagine that businesses are all under constant threat from nation-state APTs—at least it was before cyber insurance called WannaCry an act of war and refused to payout. In reality, private sector companies are more often threatened by good old fashioned cybercriminals.

At RSA Conference 2019, Angel Grant, director of identity, fraud and risk intelligence with RSA, highlighted a few of the targets of choice for cybercriminals:

• Retail: Cybercriminals increasingly target e-commerce, as new chip credit and debit cards are making traditional retail fraud more difficult.

• Social Media: Your average netizen might have never heard of personally identifiable information (PII), but they are exposing plenty of it online. This is always popular with online fraudsters.

• Finance: It’s where the money is. I’ll spare you any rehashed quotes from 20th century bank robbers.

• Travel/Leisure: Airline and hotel loyalty programs are often tied to credit cards and passports, which are exploitable.

This should generally sound familiar, but the hotel and airline programs jumped out to me as interesting. Consumers may regard those logins as less precious than bank or credit card login credentials. However, there is absolutely a monetary value to those points. As well, those websites have a lot of PII about you.

I’ll give it to the cybercriminals, they do know how to innovate. I know I say this all the time, but a password manager would reduce the risk of compromised credentials.

NSA Offers Ghidra Open Source

For me one of the biggest surprises from the 2019 RSA Conference was that the National Security Agency (NSA) not only showed up, but they came bearing gifts. The NSA announced that their reverse engineering tool Ghidra would now be available for open source download. This is a helpful tool for decompiling programs, particularly in malware analysis.

Ghidra has clearly been around for a while. Notably, the NSA released version 9.0 to the public. One twitter user commented that Ghidra is over 13 years old.

There have been a few conspiracy theories suggesting that Ghidra may install an NSA backdoor on users’ computers. I doubt it. Making high profile announcements about giving away cyber security software at the RSA Conference—only to have it be malicious to cyber professionals who download it—hardly seems like good tradecraft. I think the better question is, If this is what the NSA is giving away, then what tools are they keeping secret?

Cool Job of the Week

• Bridgewater Associates — Cyber Security Analyst (Location: Wilton, CT)

Veteran-Preferred Job of the Week

• United Parcel Service (UPS) — Cyber Intelligence Analyst (Location: Mahwah, NJ)

Subscribe to The CyberFuture Newsletter at cyber.substack.com.

Stay vigilant,

Oritse J. Uku, Editor-in-Chief

Disclaimer: The opinions expressed in this newsletter are my own.