CyberWire Daily - Bots, sockpuppets, and trolls. Facebook talks to Congress. Some suggest China hacked Equifax. DPRK gets more Internet. ISIS inspiration. Section 702 authority in doubt.
Episode Date: October 2, 2017In today's podcast, it's bots, sockpuppets, and trolls, oh my. Mr. Zuckerberg goes to Washington. Equifax sources suggest China hacked it. Credit bureau phishbait chums the Internet. Pyongyang ge...ts a new Internet connection, and observers bet it's not for checking Mr. Kim's fantasy sports leagues (anyway he could get all that from Mr. Rodman). ISIS posts more inspiration, and warnings. NSA prepares to wind down Section 702 operations. Johannes Ullrich from SANS Technology Institute and the ISC Stormcast podcast on malware using malicious DLL files. US and Russia seem to agree on one thing at least: Bitcoin fraud is bad. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Mr. Zuckerberg goes to Washington. Equifax sources suggest China did it. Credit bureau fishbait chums the Internet.
Pyongyang gets a new Internet connection,
and observers bet it's not for checking Mr. Kim's fantasy sports leagues.
ISIS posts more inspiration and warnings.
NSA prepares to wind down Section 702 operations.
U.S. and Russia seem to agree on one thing at least.
Bitcoin fraud is bad.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, October 2, 2017.
Facebook is expected today to provide the U.S. Congress with evidence concerning 2016 election ads purchased by Russia's Internet Research Agency.
Bots have become more visibly active in social media.
Their tendency has been to exacerbate conflict without much discernible interest in conflict's outcome.
Thus, there's been some vigorous bot-tweeting on both sides of the take-a-knee protests
surrounding the U.S. national anthem at professional American football games.
McAfee reports that one of the fastest-growing bits of malware last quarter was Faceliker,
a trojan that infects a user's browser when it visits a compromised site. Faceliker then
proceeds to pony up Facebook likes and advertising content without the user's knowledge or permission.
This is principally a criminal enterprise engaged in illicitly goosing advertising revenue,
but the information operational uses of this sort of tool are easy to envision.
U.S. Senator Warner, a Democrat from Virginia,
vice chair of the Senate Intelligence Committee,
thinks social media have now become decidedly weaponized.
He says, quote,
He also says, and in this he's literally correct,
that social media accounts are a lot cheaper than a fifth-generation fighter aircraft.
Who's doing the weaponization isn't in doubt.
Warner says it's Russia.
And he's been disappointed by his committee's meeting with Twitter officials, whom Warner said showed an
enormous lack of understanding of just how serious the matter is. So bots, sock puppets, trolls, and
advertising seem to be the principal modes in which the ill-intentioned seek to shape and influence opinion online.
Facebook founder Mark Zuckerberg expressed his wishes to atone for the sorry state of bad think his platform has contributed to.
It's a tough problem to be sure, and ideas are quicksilver.
They seem to flow into new channels as soon as one is closed to them.
Equifax is suggesting its data breach was probably the work of Chinese intelligence
services.
Sources claim to perceive similarities of tactics and approach to the 2016 intrusion
into the US Office of Personnel Management.
The OPM breach has been widely attributed to cyber operators in China's People's
Liberation Army.
Sources also say a dispute between Equifax and
FireEye unit Mandiant may have contributed to the problem. Equifax is said to have thought
Mandiant substituted junior personnel for the senior consultants Equifax believed they'd hired,
and that this led the credit bureau to discount the security consultant's warnings during a
crucial phase of the attack.
Once they'd made up, the attackers had put themselves in a position to steal what they wanted to steal.
There was evidently no permanent rupture between Equifax and Mandiant.
Mandiant is the firm Equifax says it brought in this past August to investigate and help remediate the damage done by the hackers.
One immediate criminal impact of the Equifax breach has been to chum the Internet with
a lot of credit-themed fishbait, most of it spoofing emails from financial institutions.
All would be well advised to treat emails that offer solutions to Equifax issues with
appropriate skepticism.
Transtelecom, a Russian telecommunications firm, appears to have
established an internet connection with North Korea. This supplements the DPRK's
other previously existing internet connection through China Unicom.
North Korea is famously a minimally connected country and the new capacity
surely hasn't been established with a view to enabling locals to download free Space Invaders from retro gamer shops,
shop on Alibaba, or access Dennis Rodman's Facebook page.
As the DPRK faces financial pressure from international sanctions imposed in the hopes of curbing Pyongyang's nuclear and ballistic missile programs,
the country's regime has turned increasingly to online crime to finance itself.
The willingness of a Russian telco to deliver the Internet to North Korea also speaks volumes
about where the biggest holes in any international sanctions regime are likely to be found.
The new connectivity increases Pyongyang's bandwidth and resilience.
It remains to be seen whether this will produce more attack potential than it does
potential attack surface. ISIS does some virtual whistling past the graveyard with online videos
displaying captured coalition small arms, specifically an AT-4 shoulder-fired anti-tank
rocket, an M4 carbine, and one each M16 and M14 battle rifles.
This is pretty small beer and four very widely used weapons.
That AT-4 may well just be a discarded launch tube, too.
And it hardly compensates for the destruction of the caliphate's hold on territory.
But perhaps this won't matter to the callow audience for ISIS inspiration.
More worrisome than a handful of guns is ISIS's warning to Muslims, conveyed via telegram,
to avoid public places in infidel lands, as these will be targets of the soldiers of the caliphate.
The warning specifically calls out the US, Russia, France, the United Kingdom, Canada,
Belgium, Australia, and Italy.
the United Kingdom, Canada, Belgium, Australia, and Italy.
It also appears to represent cheerleading, of course,
but also inspiration and a gesture of preemptive absolution for any Muslim deaths that will occur as foreseeable collateral damage.
In the U.S., the National Security Agency said Friday
that it would have to begin winding down its online surveillance program,
commonly known as Section 702 Authority, said Friday that it would have to begin winding down its online surveillance program, commonly
known as Section 702 authority, even before it expires at the end of the year. The intelligence
community has been urging Congress to reauthorize Section 702 before that winding down begins.
And finally, alleged Russian Bitcoin fraudster Alexander Vinnick told a Greek court in Thessaloniki Friday that he didn't
do it, and that Greece shouldn't extradite him to the U.S., which is interested in giving Mr.
Vinnick an opportunity to make his case for innocence in front of a federal court. Even if
the Greek authorities don't send him to the U.S., Mr. Vinnick probably isn't home free. The Russians
say they want him on a fraud beef as well. And in these troubled
times, isn't such a display of solidarity between Russians and Americans a breath of fresh air?
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of
technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer Thank you. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1, dollars off. who puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich.
He's from the SANS Technology Institute and also the host of the ISC Stormcast podcast.
Johannes, welcome back.
There's some new malware techniques floating around and you wanted to give us some details. Yes, what we saw recently was some malicious spam and it was very much obviously malicious.
It was one of those spam messages that claimed to contain an invoice, but really included a zip file.
Now, where it got interesting was when we looked at the zip file, this zip file actually turned out to be non-malicious.
It actually turned out to be a security product. It was Avast's safe zone browser. It was validly
signed. The tricky part here was that this particular safe and valid executable came with
a malicious DLL. And now DLLs are these libraries that are being loaded
by Windows software at runtime. Many programs don't really check very carefully what they're
loading. As long as the attacker is able to place a DLL with the right name in the directory from
which you're starting the software, it will load this malicious DLL.
So pretty neat little trick here that the bad guys are using in order to bypass antivirus
and other techniques like whitelisting, for example, in order to infect users with their malware.
So then what does the DLL do?
The DLL in this case was a banking malware.
It did inject pages into banking sessions, just like what your average banking malware would do.
So is there a way to protect against this?
Not really, other than, well, don't click on these attachments, of course.
That's always good advice, but hard to follow through with if you think about how many legitimate attachments users are receiving every day.
So it's a benign attachment on the whole, but then inside of there is hidden the actual malware.
Correct.
All right. Good information. Johannes Ulrich, thanks for joining us.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
Hello, dearest listener.
In the thick of the winter season, you may be in need of some joie de vivre.
Well, look no further, honey, because Sunwing's Best Value Vacays has your budget-friendly escapes all the way to five-star luxury.
Yes, you heard correctly.
Budget and luxury all in one place.
So instead of ice scraping and teeth chattering,
choose coconut sipping and pool splashing.
Oh, and book by February 16th with your local travel advisor or at And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.