CyberWire Daily - Chinese supply-chain hack story gets vanishingly thin. Twitter downs pro-Saudi bots. SEO poisoning. OceanLotus evolves. Ransomware notes.
Episode Date: October 19, 2018In today's podcast, we hear that no one but Bloomberg seems to retain much faith in Bloomberg's story about Chinese supply-chain seeding attacks. Twitter blocks bots retailing coordinated Saudi talk...ing points about the disappearance of journalist Jamal Khashoggi. Latvia says it blocked attempts to interfere with its October elections. SEO poisoning exploits interest in key words associated with US midterms. OceanLotus shows some new trick. A Connecticut town pays ransom. Ransomware hoods take pity on a grieving father. We speak with our Johannes Ullrich from the SANS Institute who discusses DNSSEC root key rollover and Mike Horning from Virginia Tech, shares the results of a study on the implications of regulating social media. For links to all of today's stories, visit https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_19.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
No one but Bloomberg seems to retain much faith in Bloomberg's story about Chinese supply chain seeding attacks. Twitter blots bots retailing coordinated Saudi talking points about the disappearance of
journalist Jamal Khashoggi.
Latvia says it blocked attempts to interfere with its October elections.
An SEO poisoning exploits interest in keywords associated with U.S. midterms.
Ocean Lotus has a new trick.
Virginia Tech's Mike Horning joins us to discuss social media regulation.
A Connecticut town pays ransom.
And ransomware hoods take pity on a grieving father.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 19, 2018.
Reports of a Chinese supply chain seeding attack continue to look increasingly thin.
The U.S. Director of National Intelligence says that while, of course, the prospect of such attacks is worrisome,
the intelligence community can't find any evidence that this one actually happened.
DNI Dan Coats said at CyberScoop's cyber talk
session yesterday, quote, we've seen no evidence of that, but we're not taking anything for granted.
We haven't seen anything, but we're always watching, end quote. So the message from the
intelligence community seems to be, as NSA's Rob Joyce put it earlier this month, this,
looking for that Chinese spy chip on server motherboards,
may be chasing shadows.
Former intelligence officials, now retired to the private sector,
second the views of the incumbents.
Michael Rogers, until this spring director NSA,
told Forbes, mildly,
I'm not sure I agree with everything I read.
One of his Israeli counterparts, Nadav Zafrir, who formerly
led Israel's Unit 8200, told the same publication that he wasn't personally aware of anything like
the attack Bloomberg described. One of the most striking features of the episode is the quick,
clear, and unambiguous denial by the companies said to have been affected by the chip.
None of the purported victims have come forward, and the most prominent companies to be named in the dispatches,
Apple and Amazon, would find themselves exposed
to considerable reputational and legal risk
if their vehement contradiction of the Bloomberg reports
were false or unfounded.
The company at the center of the allegations in the Bloomberg story,
Supermicro, whose motherboards were said to have been salted with spy chips,
has replied to an inquiry from U.S. Senators Rubio and Blumenthal with a categorical denial
that it sustained this kind of supply chain attack. Earlier today, Apple CEO Tim Cook told BuzzFeed
that Bloomberg needed to do the right thing and retract its account. Bloomberg hasn't done so,
instead offering this statement to
BuzzFeed. Quote, Bloomberg Businessweek's investigation is the result of more than a
year of reporting, during which we conducted more than 100 interviews. 17 individual sources,
including government officials and insiders at the companies, confirmed the manipulation of
hardware and other elements of the attacks. We also published three companies' full statements,
as well as a statement from China's Ministry of Foreign Affairs.
We stand by our story and are confident in our reporting and sources.
End quote.
No other news organizations or companies we've been able to find
have been able to confirm Bloomberg's account.
Thomas Ridd of the Johns Hopkins School of Advanced International Studies
and author of Rise of the Machines,
engaged in an uncharacteristic Twitter rant.
He tweeted, in part,
Bloomberg's big hack story is the single biggest cock-up
in InfoSec reporting that I know of.
Before somebody says it again,
yes, a supply chain hack is possible in theory.
That is not the point. Of course it is.
The point is that there is no evidence so far for an alleged operation
that should by definition create hard evidence if it actually happened.
So man up, Bloomberg. Face the facts if you think facts matter.
Get to the bottom of what went wrong here.
Stop wasting the time of so many people behind the scenes
and try to salvage your badly t he speaks for many other security experts.
One would think that concrete examples of the sort of malicious device would have surfaced by now,
if in fact there were a supply chain seeding campaign of this kind.
So keep an open mind about
the story if you wish and of course recognize that supply chain security is a serious matter.
Sorry Professor Ridd for saying it again. But also recognize that so far as disappointed
researchers say, there's no joy. A priori possibility is a good counsel of prudence,
but as evidence it's vanishingly weak.
Twitter has blocked a number of bots that were pushing what appeared to be Saudi government talking points concerning journalist Jamal Khashoggi's apparent murder.
Khashoggi, who disappeared into a Saudi consulate in Turkey on October 2nd, hasn't been seen since.
The bots are relatively low-volume operations, which appears to be one of the
reasons they've generally escaped notice. Flown below the radar, as Ben Nimmo, a senior fellow
at the Atlantic Council's Digital Forensics Lab, puts it, the bots engage selectively.
In this case, they've been using hashtags like WeAllTrustMuhammadBinSalam or UnfollowEnemiesOfTheNation.
They engage selectively and only on matters of apparent importance to the kingdom's policy.
The goal would be, as Nemo observed to NBC News,
to push the kingdom's messaging into trending on Twitter,
where the regime's talking points are likely to find new and potentially receptive viewers.
Latvian sources say the country sustained but parried cyberattacks
apparently directed at affecting the October 6th elections.
Some of the temporarily successful attacks posted pro-Russian messages in social media.
There's some newly observed election-related activity in the U.S. as well,
but this seems to be of the ordinary criminal kind,
quite uninterested in affecting the outcome of voting.
Security firm Zscaler reports that a search engine optimization poisoning campaign, SEO poisoning for short,
is in progress. The perpetrators are using keywords likely to be associated with the
American midterm elections to drive traffic to sites that advertise various scams, or to watering
holes that expose visitors to exploit kits, or at least to potentially
unwanted programs.
Security firm Silance reports that Vietnam's cyber-espionage threat group Ocean Lotus,
also known as APT32 or Cobalt Kitty, has shown renewed activity and upped its game in several
respects, including through the use of obfuscated cobalt strike beacon payloads
for command and control.
The town of West Haven, Connecticut, suffered a ransomware attack.
Unable to think of any better option,
the town decided to pay the $2,000 the hackers demanded.
The mayor says the criminals have restored West Haven's access to its data.
An effective system of backing up data would have spared them the trouble, expense, and humiliation.
And finally, the hoods behind the Grand Crab ransomware have released decryption keys to a Syrian man
who said they'd deprived him of photos of his sons, killed in that country's civil war.
The extortionists also sent some ambiguous signals
that they might remove Syrian targets from their hit list.
We hope a grieving father got his memorabilia back,
but we're not going to give the Grand Crab Masters much credit for honor among thieves.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology. Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Johannes Ulrich. He is from the SANS Institute.
He's also the host of the ISC Stormcast podcast.
Johannes, welcome back.
You had some information to share today about DNSSEC root key rollover.
What do we need to know?
So DNSSEC is one of those great ideas that never really took off because of some of the technical difficulties in implementing it and rolling it out.
Now, one of these issues that has come up recently is the DNS root key.
So the way DNSSEC works essentially is that you do verify all of your information in your DNS server
by attaching signatures to it.
And to verify the signatures, you publish keys.
Ultimately, these keys have to be signed by the root key for the root DNS zone.
And that key is sort of hard-coded in the configuration file of your DNS server as trusted.
The problem is that this key also has to be rotated once every so often.
And, well, that time is coming up now,
but nobody appears to be, or many people appear not to be ready for this.
If you don't rotate this key,
then all data being signed by the new to be issued key will be considered invalid.
So what's to be done here?
Well, first of all, verify your DNS server configuration. Make sure you either update
the key or you have your server configured to automatically do so. And there is an option now
to do it. In general, with DNSSEC, there are now a couple of options to sort of make it also easier to publish your data.
Many registrars now support it really just with a quick check of a box.
Also, Cloudflare now is getting into sort of the DNSSEC business and make it easier for you to actually participate in it and publish your information using DNSSEC.
So do you think we're going to see wider adoption as we go forward?
I hope so.
Like the Cloudflare approach looks somewhat promising.
They're also trying to automate a lot of the mechanics behind DNSSEC that have been manual
in the past, like, for example, publishing your information then with your parent zone,
like your.com or. org so on your registrar this was very sort of failure prone the way this was done in the past
so maybe it'll help but on the other hand there are a couple of alternatives coming up now because
dns sec was so difficult to implement that do most of what dSEC does, but at a much lower cost when it comes to
implementing it. Like, for example, DNS cookies is sort of one option I see actually taking off
quite quickly recently. So there's some, I don't know, some other choices out there in the market.
Yes, DNSSEC is a very secure, very nice protocol. It's designed, but maybe a little bit over-designed.
So it's kind of almost too secure.
It also does cause some problems, like for denial-of-service attacks and the like.
These DNS cookies, the nice thing about them is that you really don't have to configure anything on sort of your average DNS server.
They sort of just work out of the box.
on sort of your average DNS server.
They sort of just work out of the box.
They're not quite as secure and robust as DNSSEC,
but, well, probably good enough to solve sort of 80% of the problem at a very minimum cost.
Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second, Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. My guest today is Mike Horning. He's an assistant professor of multimedia journalism
in the Department of Communication at Virginia Tech with expertise in the social and psychological
effects of communications technologies. He and his colleagues recently conducted a study
that asked Americans how they felt about government regulation of social media.
There's actually something in communication theory that we look at called the third person effect.
This is a theory that basically says that people have a tendency to overestimate the impact of media in terms of how it influences other people, and they have a tendency to
underestimate its effect on themselves. So, for example, people might in the past say,
oh yeah, lots of people are affected by television, but television doesn't really affect me.
We were kind of curious about this question of fake news. So our questions were people overestimating the amount of
impact that fake news would have on other people, and in turn also underestimating the impact that
it would have on others. So that was the start of, you know, the interest.
So take us through, what did you discover from the survey?
Well, we found a couple things, some surprising and some not so
surprising. You know, the first thing that we found is that, you know, similar to other media
influences, we found that the people did have a tendency to think that fake news had a greater
impact on people, other people, and they tended to underestimate, you know, the impact that it had on them.
So that was that in itself was not a terribly surprising finding. We kind of expected that.
But we did take the research a little bit further. And we asked people, if you were concerned with
the impact that fake news had on other people, did you want to see more stricter government regulation
of social media to protect you from, you know, influences of fake news? We thought that people,
if they were more concerned, particularly if they were more concerned of its impact on others,
would probably see a greater need to see, you know, more government regulation. And we found that to be actually not true.
People said, yep, we are concerned, but we don't want to see a lot of government oversight on
social media. The other interesting finding that we did discover is we also asked people,
if you were concerned with fake news, how did it influence
your news sharing habits? And when we said news sharing, we meant all news. So, you know,
it could be mainstream news, it could be, you know, non-traditional sites. And what we found
is that people who were more concerned with the impact of fake news in their social feed were overall more likely to avoid sharing all news in their social feed.
So we thought that was an interesting finding on a number of levels.
The indirect influence or indirect impact of fake news is that it could discourage people from sharing actually legitimate news.
could discourage people from sharing actually legitimate news. You know, secondary impact could be that it could affect the bottom lines of news industries who, in part, are dependent on, you
know, people sharing that content in their social feeds. Yeah, it's interesting that the, I guess,
news itself maybe has a bad odor on it because of the implication that it might be fake news?
It could be that, but it could be that people are having a difficulty knowing what is fake
news and what is not.
And so, you know, it might be natural for people to just say, well, I'm just not going
to share news at all.
Rather, you know, be safe than sorry.
I suppose, I mean, we hear so much about people
kind of self siloing in, in these environments, building bubbles for themselves. Yeah. Um, and
that is, um, that's another challenge I think that we, you know, that we are facing. Um, you know,
some of that is, uh, because of algorithms, uh, you know, in the social feeds that do basically, you know, it's not a conspiracy per
se. It's just that the algorithms in your social feeds are designed to give you information that
you're interested in. So every time you click on a piece of news or a news site, that algorithm,
you know, correlates it with other information that you might be interested in. And so very
quickly, you can kind of find yourself siloed in terms of like the information that you get.
You know, and part of it is our own, our own doing. We have a tendency to hide people that
annoy us and turn off people who, especially in, you know, if, if, if we're not politically
inclined, or if we are, we have a tendency to gravitate towards those people who confirm our own biases and we have a tendency to reject those people who don't.
Now, how does all this inform the work that you all are doing there at Virginia Tech in terms of preparing that next generation of journalists?
It's something that we certainly talk about in our classes.
I teach a class that's actually specifically focused on the influences
of technologies on society. I spend a lot of time trying to get students as journalists to
think carefully about being fair to different sources. You know, we all have our own biases
that, you know, we're always going to be combating those. And I think that's
just human nature. And I think that's not so much the problem. The problem is being aware of those
biases and trying to keep them in check and trying to give people the benefit of the doubt when you
ask them questions, you know, rather than automatically assuming the worst in someone.
And I encourage my students to ask more questions and listen
more thoughtfully than anything. I think a good journalist needs to do that first and, you know,
ask people, well, why do you think that? And have you thought about, you know, this or that? And
engage people in meaningful conversations rather than sort of this,ative back-and-forth desire to prove you're right all the time.
We have other areas of research where we're trying to help be a little more proactive in addressing that problem.
I'm working with a colleague in computer science right now where we're working on building an application in your Twitter feed that identifies news in your feed that has clearly
been marked as fake news, and then other news that has been considered questionable content.
And our approach to it is actually not to just be sort of like the all-knowing seer who says,
you know, this news is fake and this news is not,
because, you know, we found in our research that if some place like Facebook or Twitter tells you
what to think about the news, people have a tendency to almost reject that. So we try to
highlight questions in the news feed that other people in the feed have had. So we can kind of encourage more of a, you know, a kind of a citizen to citizen kind of conversation and let, and then
let people decide for themselves, whether they, whether they agree with it or not. Our, our
thinking is just to provide sort of these nudges that, uh, encourage people to just kind of think
a little more critically about the information in their feeds. That's Mike Horning from Virginia Tech.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep
you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.