CyberWire Daily - A Foreign Office hack is disclosed (but that’s it). Preparing for a cyber escalation in the hybrid war Russia’s waging against Ukraine. Multi-cloud threats. Patch Tuesday notes. Razzlekhan raps.
Episode Date: February 9, 2022Britain’s Foreign Office sustained a cyberattack last month (the details are secret). Poland stands up a Cyber Defense Force as Europe and North America raise their level of cyber readiness. Negotia...tions over the Russian pressure on Ukraine are likely to be protracted. Threats to multi-cloud environments. Patch Tuesday notes. Dinah Davis from Arctic Wolf on keeping kids safe online. Carole Theriault examines Mozilla’s Privacy Not Included campaign. And Razzlekhan rocks the mic with her mad skillz, or used to, anyway. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/27 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Britain's foreign office sustained a cyber attack last month.
The details are secret.
Poland stands up a cyber defense force as Europe and North America raise their level of cyber readiness.
Negotiations over the Russian pressure on Ukraine are likely to be protracted.
Threats to multi-cloud environments, Patch Tuesday notes.
Dinah Davis from Arctic Wolf on keeping kids safe online.
Carol Terrio examines Mozilla's privacy
not included campaign, and RazzleCon rocks the mic. From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, February 9th,
2022. The Times reports that Britain's Foreign Office sustained a cyber attack last month.
Details are publicly unknown because
they're being considered a matter of official secrecy, but it is known that the attack was
serious enough to warrant giving BAE Systems Applied Intelligence a contract for almost
£470,000 to help with response and remediation. The contract did not go through the normal competitive process
due to the urgency and criticality of the work.
Official sources offer no attribution,
but the Times indulges some a priori speculation
by pointing to recent warnings about Russian cyber threats.
The AP reports that Poland has appointed Brigadier General Karol Molenda to lead the country's new cyber defense force.
Defense Minister Mariusz Blazak framed the new command as a defensive measure taken in recognition of, especially, cyber threats from Russia.
Quote,
We are perfectly aware that in the 21st century cyber attacks have become one of the tools of aggressive politics
also used by our neighbor for that reason these capabilities are of fundamental key nature to
poland's armed forces end quote reuters cites unnamed sources who say that the european central
bank has raised its level of alert for cyber attack and has shifted its focus from the common financially
motivated cybercrime to the prospect of state-directed attacks originating from Russia.
The ECB is said to have queried banks about their readiness to withstand such attacks
and that the individual banks are holding drills to increase their own state of readiness.
The measures seem driven more by prudential considerations concerning the
continuing Russian threat to Ukraine and by Russia's record of offensive action in cyberspace
than they are by specific intelligence of any particular imminent threat.
The U.S. has been unusually forthcoming with intelligence it's collected on Russian cyber
capabilities and operations. The revelations are generally regarded as having undeniable utility as influence operations,
but Politico says that some in the U.S. intelligence community think that too much may have been shared.
There's also some concern that the releases may be unduly alarmist,
especially when taken collectively and without other context.
Politico quotes a former CIA officer, quote, I am concerned about the long-term credibility of our intelligence
with all of these select declassifications. If it turns out to be wrong or partially wrong,
it undermines how much our partners trust the info we give them, or frankly, how much the public trusts it.
Other observers think that simple deterrence is likely to restrain Russia from escalating its hybrid war in cyberspace. An op-ed in The Telegraph, for example, argues that Russia
understands British and U.S. offensive cyber capabilities, and that its calculus will tell them that an expanded cyber
war is one Moscow is unlikely to win. Task and Purpose reviews potential cyber threats from
Russia and concludes that none of them amount to shock and awe. It reviews five major cyber
campaigns Russia has mounted against Ukraine, widely regarded as a testing ground as well as a theater of operations,
since 2014. Election interference in 2014, power grid sabotage in 2015 and again in 2016,
NotPetya economic disruption in 2017, and bad rabbit economic disruption in 2017.
They rate the strategic effects of all but NotPetya as negligible. NotPetya's effect it rates
as unknown. These are, of course, all actual attacks. There are other potential threats,
especially large-scale and destructive attacks against power grids, whose consequences could
be far more devastating than these. But the SA's account of the use of cyber attack as tactical
adjuncts to military operations is interesting. The New York Times reviews the current state of
multilateral negotiations and sees, if not stalemate, at least stasis. Its analysis foresees
a drawn-out and dangerous diplomatic slog toward a difficult settlement. Russia has staged more
general-purpose forces near Ukraine, notably moving amphibious assault ships from the Mediterranean
and toward Ukraine's Black Sea coast, while diplomatic efforts to reduce tension continue.
Belarus continues to emerge as an important staging point for Russian conventional forces.
No fresh large-scale cyber
activity, however, is being reported. The Guardian reports that French President Macron said Russia's
President Putin gave him a personal assurance that Russia wouldn't be the one to escalate the
conflict between Russia and Ukraine. President Macron communicated that assurance to his Ukrainian
counterpart, President Zelensky, during talks Ukrainian counterpart, President Zelensky,
during talks yesterday in Kiev.
Zelensky, who has taken pains to downplay the imminence of Russian invasion while preparing for the worst,
was politely skeptical, saying, I do not really trust words. I believe that every politician can be transparent by taking concrete steps.
and be transparent by taking concrete steps.
Official Russian comment on French claims that Moscow had agreed not to undertake any new military initiatives was, however, dismissive.
Spokesman Dmitry Peskov said,
quote,
This is wrong in its essence.
Moscow and Paris couldn't do any deals.
It's simply impossible.
France is a leading country in the EU.
France is a member of NATO. But Paris is not the leader there.
In this bloc, a very different country is in charge.
So what deals can we talk about? End quote.
Researchers at security firm VMware this morning issued a report on threats to Linux-based multi-cloud environments.
It finds that ransomware is hitting Linux host images
used for workloads in virtualized environments,
that most cryptojacking uses XMRig-related libraries,
and that most users of Cobalt Strike are using it for criminal purposes.
Yesterday was Patch Tuesday, and Microsoft fixed 48 problems,
including issues with Windows Kernel, Hyper-V,
Microsoft Outlook and Office, Azure Data Explorer, and Microsoft SharePoint.
In some respects, it was a relatively light Patch Tuesday,
even by the unexacting standards of February,
traditionally a month whose Patch Tuesdays have been comparatively unexacting.
Microsoft, which we note in disclosure is a CyberWire partner,
addressed one zero-day, a kernel privilege escalation vulnerability,
but neither this nor the 47 other problems fixed were rated critical.
ThreatPost calls the absence of any critical vulnerabilities
in the list of patches unheard of
and indulges an effusive, oh blessed day,
in its review of Redmond's latest patch Tuesday,
but of course constrain the joy to moderate levels and don't get cocky, kid.
Even merely important vulnerabilities should be fixed.
And CISA yesterday also issued two more industrial control system advisories,
both for Mitsubishi Electric products.
advisories, both for Mitsubishi Electric products. And finally, hey everybody, did you know that one half of the couple arrested this week on charges of conspiracy to commit money laundering in the
Bitfinex caper was not only a CEO, but a writer, an economist, a journalist, an influencer, an artist,
a rapper, and a motivational speaker. She is, you know, although the future course of her career is now uncertain.
We're talking, of course, about Heather R. Morgan,
snuffled up earlier this week by the FBI and the Treasury Department.
She actually was a contributor to Forbes between 2017 and 2021,
now listed as former contributor,
where she published insufferably self-referential
fizzy knowing puff pieces about minor trivially transgressive celebrities. She also sometimes
wrote about entrepreneurship, negotiation, and security, and of course, above all, about her
very own self and her mad business skills. You can still find those online. What we can't find
online anymore are Ms. Morgan's rap videos, but they were there as recently as yesterday.
They've now been taken private on YouTube for reasons we can only speculate about.
Don't want to prejudice a potential jury pool? Who knows? Anywho, we wouldn't want to have linked to them anyway because they're
kind of potty-mouthed and we're a family show, but we did listen and even watch. Others did too,
but apparently most of them only paid attention, Reuters says, after the indictment was announced.
Reuters is kind of crabby about the quality of Miss Morgan's rhymes, but to tell the truth, they were kind of painful.
Quote, you don't even know me. Start a company at 23, said one. She also strove for some gangsta
swagger like, got no clue what I'm about. Could gut you like a trout. Of such things are influencers
made. She called herself in her videos the Crocodile of Wall Street and used the nom de
rap Razzlecon. The Razzlecon website is still up if you're curious. We've been there and the clue
we get about what she's about is probably up to no good. We've been pondering without any
maundering. Maybe that was laundering. Allegedly.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io. the mozilla foundation recently created a campaign they're calling privacy not included
our uk correspondent carol terrio took a closer look and she files this report if you read the
tech press you will regularly see information from tech firms. Maybe it's research from a survey
they did, or it's a brand new product or service they've launched. And let's be honest, they're not
always riveting or, more importantly, useful. But I recently saw a campaign called Privacy Not Included. And it's run by the Mozilla Foundation,
the creators of Firefox, a browser that has been championing its privacy features.
So our friends at Mozilla have created an IoT creepometer, for lack of a better term.
Effectively, it's like a consumer report for
its connectivity and privacy features. And it's not exhaustive, but they certainly have done a
great stab at covering all the products that people might own. So they have smart home tech,
smart toys and games, smart entertainment, wearables, health and exercise,
pets, video calling apps, and dating apps. Okay, let's take a look at one. Let's say
it's a brand new year and I want to get fit and I want to purchase a rower. And let's say I lost my mind and wanted a smart rower.
Let's go see if the Mozilla Foundation's privacy not included campaign has a rower listed.
Woot, they do. Okay, so they have the NordicTrack rower here. And I also see an exclamation mark
with an asterisk saying privacy not included.
Very high up in the article, they say NordicTrack's privacy policy is an exercise in awful.
They say they can sell your data.
They can call or text your phone number.
Even if you are on a do not call list, they may get data from data brokers and use it
to know more about you in order to more effectively target you in their ads.
Mozilla go on to say that if you buy a NordicTrack exercise machine and sign up for their iFit app
for workouts, expect your data to be collected, used to target you with all kinds of ads. Your
phone number is now fair game for marketing texts or phone calls from them and your data is possibly being sold to third parties. Oof! And this is just one of the hundreds of products that they've reviewed. When I say
reviewed, what I think is going on here as someone has been reading the privacy statements associated
with each of these products because that is where a company has to list what it's going to do with
your data. But hey, if that's not your bag, you can now go to this privacy not included campaign
and check out a product. And if one's not listed, they say, hey, just send it to us and we'll take
a look. The advantage here is that Mozilla is writing the information in very
plain language so that all of us can understand and we're not bamboozled by legalese. I'm hoping
that we will see more tech campaigns like this in 2022. This was Carol Theriault for the Cyber Wire. aware. Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And I am pleased to be joined once again by Dinah Davis.
She is the VP of R&D Operations at Arctic Wolf and also the founder of Code Like a Girl.
Dinah, always great to have you back.
Thank you.
You know, you and I are both parents. And as such, I think, oh gosh, we spend a certain amount of time thinking about what our kids are up to online and trying to keep them safe.
I just want to touch base with
you. What sort of things are in your day-to-day of keeping the little ones out of trouble?
Yeah. So I think it changes as they age a little bit, right? First thing would be,
you know, if you're a parent of smaller children, and since we just went through Christmas,
you may have gotten them some pretty cool toys. If any of those are
connected to the internet, you definitely want to secure them, right? So do your research,
read those privacy policy. How will the manufacturer use that data? Can you delete the
data? Can you secure the device? Can you connect it to a guest network? Make sure if
there's passwords, you change the default settings or add a password if you can, right? And don't
share any identifying information. And if there's, you know, Wi-Fi connected, Bluetooth cameras,
microphones, and the toys not being used, consider completely shutting it off. That way it can't
listen in the background, right? That's for the little ones but you know i have one that's getting
a little older entering her entering her teen years and yours are also a little bit older than
that you know make sure you know they are never using their real names on gaming systems right so
they should have they should have a they should have a handle or something.
My daughter has a couple handles she likes to use all the time.
And I say, never use your real name.
You don't know who you're talking to.
Make sure they know that people can pretend to be other things online and never meet up
with anyone that is talking to you or try and connect with them separately.
And know who your children's online friends are.
Easier when they're a little younger, harder when they're in their late teens.
I mean, we're going to, that's, you have to just teach them a little bit on how to behave online, right?
Try to keep them off social media as long as possible.
That's like, you know social media as long as possible. You know, like as long as
possible for so many reasons, so many reasons. Yeah. If you can't, right? Like, you know,
at some point it's... I'd say when you can't. Let's say that, yes, because there will be that day for me too, absolutely. When you can't, you know, you should join all the social networks they're on.
You should friend them as much as they may not want that so that you can, you know, at least see what's going on and be aware.
Make sure they know how to report inappropriate behavior and offensive posts on any social network they're on.
Make sure they know how to block someone and when they should do that and why.
And tell them to keep some information private, right? And then also always teach your kids to
never share their location. And when you go into these apps, make sure and go and check with them and show them how to set it up so that the location tracking is not on or shared whenever they post, right?
Those are big things that a lot of the social networks have.
She was maybe six or seven.
And she was able to iMessage with one friend and her family.
And she sent a picture to her friend very innocently.
And it kind of showed some stuff it shouldn't have showed.
And the mom messaged me and went, she just sent this.
And I'm like, what?
And so it was so innocent. It was such an innocent thing that she did.
And so I explained to her, I said, look, anything you send to one friend or post on any social
media or anywhere on the internet, imagine that one thing, whether it's a sentence, a picture,
anything, imagine that thing blown up as a 10-foot poster in your classroom.
If you're not okay with that poster being up in your classroom,
you can't share whatever that is online.
Because it doesn't matter even if you just send it to one friend and you trust them.
You don't know if somebody else gets their phone,
if all of a sudden you have a fight
and then they're going to share something else.
So anything you share online should be absolutely okay
being broadcast to the entire school as a large poster
and you standing right beside the poster.
And that seemed to be pretty effective.
And I think it actually works for like,
but it works for kids at like so many ages, right?
Because they don't, especially when they're younger,
they don't understand what it means
to be on the internet everywhere, right?
They don't get that concept, right?
But they know what it is to have everyone in your class
know something about you that you didn't want to know.
Mm-hmm, yeah.
No, that's a really, that's an effective message, I think.
I like that a lot.
All right.
Well, Dinah Davis, thanks for joining us.
You bet.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Trey Hester, Brandon Karp,
Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Patrick, Jennifer Iben, Rick Howard,
Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you.