CyberWire Daily - China criticizes Twitter and Facebook. Silence expands internationally. A popular Ruby library was backdoored.
Episode Date: August 21, 2019China says Twitter and Facebook are restricting its freedom of speech. The Silence criminal gang has expanded internationally. Google, Mozilla, and Apple are blocking the Kazakh government’s root ce...rtificate. A popular Ruby library was backdoored after a developer’s account was hacked. And scammers buy ads to place their phone numbers at the top of search results. Daniel Prince from Lancaster University on cyber risk in a global economy and guest is Rick Howard Palo Alto Networks on a study revealing Americans are confused about cybersecurity. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
China says Twitter and Facebook are restricting its freedom of speech.
The silence criminal gang has expanded internationally.
Google, Mozilla,
and Apple are blocking the Kazakh government's root certificate, a popular Ruby library was backdoored after a developer's account was hacked, and scammers buy ads to place their
phone numbers at the top of search results.
from the cyber wire studios at data tribe i'm tamika smith sitting in for dave bittner with your cyber wire summary for wednesday august 21st 2019 beijing has come out with a
forthright defense of freedom of speech sort of after twitter and facebook on monday took down
accounts they determined were conducting
information operations against the ongoing protest in Hong Kong, and after Twitter changed
its advertising policy to no longer accept paid advertising from state-controlled media,
China's government protested the company's actions. The country's foreign ministry spokesman
said the victims here were not the intelligence services of the Chinese government, but rather expatriate Chinese who were expressing their patriotic outrage over the discreditable misbehavior of people in Hong Kong.
And it's not just those patriotic expatriates.
China's government says that it also has a, quote, right to tell its story. With a chutzpah that almost inspires a kind of admiration,
Chinese authorities are said to have pointed out the fact
that both Twitter and Facebook are blocked in China
as evidence of spontaneous patriotism in the Chinese diaspora.
Singapore-headquartered security firm Group IB
has published a follow-up report on Silence,
the Russian-speaking criminal gang they've tracked for the last three years.
Silence initially displayed poor upsec and was confined to a limited range of mostly Russian targets.
However, the group has now improved its security game
and has expanded internationally to more than 30 countries.
Their customary infection technique is phishing,
beginning with a reconnaissance phase that sends bogus email delivery failure notices. to more than 30 countries. Their customary infection technique is phishing, beginning
with a reconnaissance phase that sends bogus email delivery failure notices. Once they've
compromised a bank's networks, the attackers move laterally until they've compromised the systems
used to control ATMs and card processing systems. Finally, they'll have local money mules visit the
compromised ATMs and withdraw large quantities of cash.
The group has stolen more than $4 million between June 2016 and June 2019.
Group IB also noted similarities between the silence downloader and Flawed Amy, a remote access Trojan used by TA-505. The researchers say the code overlap suggests that the same developer
is behind both pieces of malware, although they maintain that the two criminal groups
are acting separately. According to Motherboard, Google, Mozilla, and Apple said on Wednesday
that their browsers would block a root certificate issued by the Kazakhstan government to surveil
citizens' internet traffic. Kazakhstan's
attempt to force its citizens to download their certificate was apparently cancelled earlier this
month, with the government characterizing the move as a test. But Mozilla told Engadget in a statement,
quote, while the government's test has apparently ended, the mechanisms it can use to spy on the
web traffic are still in place,
and some users may still have this malicious certificate installed. We aren't waiting for
the vulnerability to be exploited again in order to fix it, end quote. As data privacy and rights
take center stage in many countries, feelings around protecting data is re-emerging as another
point for conversation. A new online survey by Palo Alto Networks and YouGov delves into how people feel about protecting their information.
To sum it up in one word, confused.
Here to talk more about these findings is Rick Howard.
He's the chief security officer at Palo Alto Networks.
Hi, Rick.
Thanks for helping us shed some light on this topic.
Thanks, Tamika.
I'm glad to be here.
All right. So let's pull back the layer when you say confused.
To be clear, you surveyed people from several countries.
So let's start with the U.S.
What are Americans feeling when it comes to being safe online?
Yeah, it's a great question.
And we were interested in something very specific here, right?
With all of the advanced attacks these days conducted by criminals and hacktivists and commercial and nation-state spies, and what seems to be a
continuous low-level cyber conflict between nation-states, how are the victims of these
attacks, the humans, coping? Are they receiving the training they need to be successful in this
endeavor? That was the reason we commissioned the survey. For the
Americas, 62% of Americans feel they should be responsible for the security of their own personal
information, but only 24% admitted to having a rudimentary security process in place to help
them. Well, not only did you break it down that way, you also looked at other categories, right?
For me, willingness to learn is the one that actually stood out. Can you talk a little bit more about the practicality of that
being the foundation? Yeah, I think that's really interesting that the normal employee or user of
the systems want to learn how to be better at this, right? But I'm going to tell you, I'm kind
of a naysayer here, right? Okay. The survey data confirms to me a notion that has been changing in the network defender community over the last couple of years.
You know, in the old days, okay, it was common for people to accuse the user of being the problem.
You know, I am sure I have said public things like you can't fix stupid, and if you could just get rid of the what weakest link, the user, we wouldn't have any security problem.
As I've gotten more mature, okay, in this field, okay, it occurs to me that, you know, blaming the user for not being technical enough to see adversaries like Oil Rig and Emissary Panda and Reaper attacking their laptops, you know, that all just belongs in the pile of cybersecurity elitist BS.
Okay, it just does, right?
I have problems spotting malicious links in email, and I've been doing this stuff for
over 20 years.
But the community has been expecting the grandmas of the world to know enough to spot these
advanced attacks.
In hindsight, you know, that's just laughable.
And the tech community has not made it easy for the general purpose Internet user to navigate these obstacles either.
You know, the tools we have for security are advanced and they work fairly well, but they're not designed for grandma to use.
You know, they're designed for cybersecurity professionals.
This problem is on us, the network defender community, for not protecting grandma from the attacks in the
first place. Okay, so staying on that point, then what should the professionals be doing in order
to protect someone like grandma? Well, they should be doing the things they know they should be
doing. But you know, it's typical for us to if a bad guy is successful, to blame the victim for
doing something stupid. And I just don't think that's viable anymore. Like I said, we can help grandma be more secure in her personal life, right?
But really, if that bad guys get through, it's on the security community, not the user.
Okay, so when we're talking about the security community, we're talking about not only about
professionals, humans, but also AI.
And you also did a study that looks at other countries. So
let's look at other countries, including Brazil and Canada. You polled them about their feelings
toward online security and it being handled by AI or humans. So who do they prefer?
I really like the Europeans' answer to this, right? The Canadians and the Brazilians
are pretty standard, but the Europeans,
26% of them said they would prefer to have automation handle their security protection,
right? And what's really interesting about that is we have reached the stage now in the
cybersecurity community where machine learning techniques are really useful in the cybersecurity domain. And the reason it is, is it's become
possible for organizations to storage large amounts of data, mostly in the cloud somewhere.
And you really can't do machine learning algorithms unless you have piles and piles of data.
I'm talking about petabytes of data. And these machine learning algorithms work specifically well in very
specific cases in the security domain, like, for example, finding malicious files.
When you talk about comfortability and trust, and cybersecurity is relative to the user, right?
Whether you prefer AI because it's communicating to technology in a way a human can't and can secure systems more
effectively or the feeling that a human would have more empathy. Can you talk a little bit about that
idea of trust? Yeah, and I think the community is slowly coming around to this, right? And you know,
10, 15 years ago, we relied on humans to react to the attacks coming against our organizations.
on humans to react to the attacks coming against our organizations.
But what we've noticed in the last 10 years is the bad guys have automated their own attacks.
All right.
And so if you're going to use humans to respond to that, you are always going to be behind.
Be behind.
I had an old boss of mine that says, you know, we're bringing humans to a software fight,
which we will lose every single time. We have to get comfortable as a community trusting the automation that we have in place
to handle those incidents in order to stop them. It's about bringing the right gun to the gunfight.
Yeah, it's right. At least we got to bring software to the software fight.
Okay. So that's Rick Howard. He's the chief security officer at Palo Alto. You can find him tweeting at race Bannon 99.
New versions of a popular Ruby library rest client were found to contain malicious code that allowed an attacker to collect sensitive information and run additional code on clients' machines. The code was inserted last
week after a hacker compromised a RubyGems account belonging to a REST client developer.
According to ZDNet, the hacker used the account to push four backdoored updates to the library,
which were downloaded around 1,200 times. The attacker's goal seems to have been
cryptocurrency mining. The malicious versions of REST client have since been removed from RubyGems.
And finally, scammers are gaming search engine results to display their own phone numbers at the top of search results.
The searches they're gaming are for customer support lines belonging to well-known brands.
Since paid ads appear up near the top of search results, people looking for a
phone number can be fooled into choosing the wrong result. Voice assistants have proven particularly
vulnerable to this form of deception since they automatically choose which number to call and
provide no visual frame of reference for the user. Paying for the ad seems to make economic sense for
the criminals since they get
a solid return on their marketing investment. And in this case, the scammer's not calling you,
you're calling the scammer.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't
a buzzword. It's a way of life. You'll be solving customer challenges faster with agents, winning
with purpose, and showing the world what AI was meant to be. Let's create the agent-first future
together. Head to salesforce.com slash careers to learn more.
Salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning
digital executive protection platform
secures their personal devices,
home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members
discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, it's always great to have you back.
I know something that you all have been tracking at Lancaster is sort of the changing nature of nation state cybercrime and how that plays into the global economy. What can you share with us
today? Thanks for having me back on. So this is an area of real interest for me. So I'm really
interested in the large scale systematic risks that come from
cybersecurity in this global digital environment in which we operate. And yeah, the trend really is
for increasing connectivity, hyper connectivity of everything from the financial services sector,
all the way through to things like industrial control systems, physical process control. And that's changing really the nature in which criminals operate, but also changing the way in which
nation states are operating. And we've seen a real rise in what's been variously termed as hybrid war,
ambiguous war, grey zone conflict, where the nation states are actually able to operate within the uncertain
boundaries of a globalised, hyper-connected environment. And so we see things like the Bank
of Bangladesh heist, which was an attack against the central bank and reportedly conducted by
a nation state in order to fund internal activities within that nation state,
particularly around their military program. Now, there are various conversations around that about
how true or not that is. But that kind of concept that now a nation state is performing what would
have traditionally been seen as a criminal act in order to fund nation state activities is quite an
interesting and emergent
of global politics within a digital environment. It's interesting the possibilities that it opens
up because you imagine a nation sending in a group of folks under the cover of darkness to
pull off a bank heist in the physical world. Well, this is a different thing. It's a different
plausible deniability, I suppose. Well, and this is where the thing it's a different plausible deniability i suppose
well and that this is where the ambiguous nature comes in it's as we all know it can be very hard
to attribute actions to individual groups individuals or even even nation states and
it's that ambiguity that drives the uncertainty within the political dimension that we're seeing
and also it's the lack of physicality, as you rightly point
out. If I was going to rob a whole load of gold, steal a whole load of gold from somewhere, there's
only so much that I can steal, there's only so much I can put in a van, for a given size of van
and a given number of people. And there's only so many places I could take it to. And there's only
so fast I can travel. So that physical nature of stealing physical rare items,
physical commodities is very different to the digital environment. And it's not just about
theft, it's about the knock on cascading impacts of that. And so understanding those and how
the act of that theft may have real far reaching implications that we're not necessarily aware of
that become systemic risk issues in the future.
It also strikes me that there's a reticence from leaders of nation states, perhaps acting in their own self-interest,
to draw lines in the sand to say that we're not going to do these sorts of things.
They've left a lot of that fuzzy and, as you say, ambiguous.
a lot of that fuzzy and, as you say, ambiguous? Well, we've seen certainly recently nation-states coming out and actually exercising some of that cyber power, that cyber influence, and actually
directly attacking as part of a political influence process. And that, again, has real-world
kind of implications on politics. And one of the concerns is really around that global infrastructure.
You know, particularly in the West, we have this kind of very liberal view of the internet as
something that is open and connected. But we're starting to see as that becomes much, that
infrastructure becomes much more critical to nation state economy, nation state prosperity,
and civilian lives, that the nation state governments are
starting to go, well, how do we control this much more? The interesting point here is that most
nation state governments are really interested in borders and boundaries and how they control the
flow across that. Certainly, the big concern that I have is the kind of the balkanization of the
internet, the breaking up so that actually the perimeters of the internet for the prosperity of the nation start to be much more policed, as we've seen
in some other nation states. All right. Well, Daniel Prince, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you.