CyberWire Daily - Cyber espionage: many operations and many targets. Misinformation and online fraud during the pandemic. Beer and conviviality versus operational security.
Episode Date: May 20, 2020Cyber spies steal prototype missile data. Others hack into South Asian telecoms, and still others go after easyJet passengers’ travel data. Cyberattacks, misinformation, and cyber fraud continue to ...follow the COVID-19 pandemic. Joe Carrigan weighs in on the Thunderspy vulnerability. Our guest is James Dawson with insights on DMARK threats and why it’s worse during COVID-19. And think twice before you post, no matter how good or bad you think the beer is. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/98 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Cyber spies steal prototype missile data.
Others hack into South Asian telecoms.
And still others go after EasyJet passengers' travel data.
Cyber attacks, misinformation, and cyber fraud continue to follow the COVID-19 pandemic.
Joe Kerrigan weighs in on the Thunder Spy vulnerability.
Our guest is James Dawson with insights on DMARC threats and why it's worse during COVID-19.
And think twice before you post, no matter how good or bad you think the beer is.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 20th, 2020.
Japan's Defense Ministry is investigating the possible theft of technical details
from a proposal concerning a missile designed by Mitsubishi Electric.
Reuters says the details of the cyber espionage are sparse, but that the data stolen probably included certain performance specifications.
The report adds that the missile won't be produced.
The material stolen appear to have been from files associated with a proposal,
and apparently Mitsubishi Electric didn't get the contract.
Researchers at Broadcom's Symantec unit are attributing attacks on South Asian telecommunications
companies to Greenbug, an espionage group associated with Iran, and thought to be connected
to the group responsible for Shamoon.
CyberScoop reports that most of the activity was directed against Pakistan's telecommunications system.
Telcos are attractive targets because of the value of the data they carry.
The focus on Pakistan suggests a service with a strong interest in the region.
The Jerusalem Post, considering the recent cyber attack on an Iranian port
as retaliation for a cyber attack on Israeli water treatment facilities,
sees the exchange as typifying a new approach to cyber war, continuous engagement.
Sources tell Reuters that Chinese intelligence services were responsible for the easy jet hack
that affected some 9 million passengers.
The anonymous sources say that the same threat group had tracked travelers before
and was interested in their movements, not in financial gain from credit card theft.
Australia's government has condemned unnamed nation states for conducting and supporting
cyber attacks under the cover of the coronavirus, the Australian Financial Review reports.
The countries may be unnamed, but the prospect of arousing China's ire, the article alludes to,
suggests that the subtext indicates a bad conscience somewhere in the vicinity of Beijing.
Either that, or, of course, injured innocence, since it goes without saying that China denies
any involvement in cyberattacks
conducted during the pandemic. COVID-19 misinformation continues to find alternative
outlets. Increased fact-checking and content moderation by social media providers may have
pushed misinformation into other channels where it can circulate without much hindrance.
The Washington Post takes the documentary Plandemic as its example.
The documentary, whose long trailer has been pushed from YouTube and other social media,
has been circulating using apps such as Google Drive.
Short comments on the trailer, written to avoid language that would trip content moderation alerts,
appear on major social media platforms,
and these in turn direct visitors to
the sites where the trailer is available. Plandemic, which retails a complex and implausible
conspiracy theory about the alleged corporate and government interests that the filmmakers
claim are behind the pandemic, has provided a popular example of COVID-19 misinformation.
It's often cited as an example of the dangerous potential of
misinformation. Its recent distribution also affords an example of the difficulty of controlling
such misinformation spread. Unemployment relief assistance designed to compensate workers who've
lost their jobs during the economic stress of the pandemic are being targeted by scammers.
Agari reports that much of the
criminal fraud against such relief programs observed by the U.S. states of Florida, Massachusetts,
North Carolina, Oklahoma, Rhode Island, Washington, and Wyoming are the work of the Scattered Canary
Gang, a criminal group based in Nigeria. The researchers outlined a few of the approaches.
Nigeria. The researchers outlined a few of the approaches.
They found that 82 fraudulent claims for CARES Act economic impact payments were filed between
April 15 and 29.
Since April 29, at least 147 fraudulent unemployment claims were filed in the state of Washington.
Between May 15 and 16, 17 fraudulent unemployment claims were filed in Massachusetts. And most recently,
Agari has observed signs that the criminals are turning their attentions toward Hawaii,
where on the evening of May 17th, two claims were registered with the state's Department of Labor
and Industrial Relations. The techniques Scattered Canary is using are the grubby,
low-tech stuff of petty cybercrime. Bleeping Computer says that the gang is using social security numbers
and other personal data stolen from identity theft victims
to create bogus accounts on assistance sites.
As the Washington Post points out,
state relief agencies are under the gun to provide assistance to people who need it in a hurry,
and haste is usually accompanied by a certain relaxation of vigilance.
James Dawson is a contractor and advisor to Donska Bank, working in the IT Business Risk
and Controls Division in the office of the CISO. He shares his insights on DMARC and DKIM threats
and why particular vigilance is in order in the midst of the COVID-19 pandemic.
vigilance is in order in the midst of the COVID-19 pandemic. Every bank and financial service organization right now, Dave, is trying to manage the crisis. That's one thing. Everybody working
from home and all of the challenges of having your workforce completely remote. There's all
sorts of technical challenges that you've got to face, you've got to solve. But then there's also the threats. The threats change.
So during the crisis, during the COVID-19 crisis, we've noticed that the threats have changed to
much more intensive phishing and spoofing campaigns are going on.
Well, take us through that. What sort of things are you addressing?
Well, generally, I think that most organizations are relying upon center policy framework, which is SPF, that and domain key identified mail, and also domain message authentication reporting and conformance.
So that's DKIM and DMARC.
Along with TLS, those are the most preferred methods of trying to fight against spoofing or phishing.
So during the crisis,
it's one thing to be able to protect your own domain. So you already apply those protocols
so that you can protect your own domain. Just as an example, take Citibank.com.
You have methods of protecting that domain, and you can also train the individuals within your organization to, even though they see a message coming from what looks like the bank's domain, to question it.
Is it really something that I need to address, or is it something that I would even click on or something that I would act upon?
So that's one thing. And then the other thing is to have your threat professionals and those that are doing your research and doing the settings for your revision to your TKIM protocols and your DMARC, to have them start thinking like a criminal.
And I know we've discussed this before in your program.
as before in your program. Now, you know, I've seen in email correspondences with folks that a lot of enterprises will have a feature in their email where if something comes from outside of the
organization, that gets flagged, you know, in unambiguous terms within the email that says,
you know, this message came from outside of the organization. Is that sort of thing helpful for
tracking those spoofed emails, the ones that look close to the name of the organization. Is that sort of thing helpful for tracking those
spoofed emails, the ones that look close to the name of the organization but aren't quite right?
Yeah, I like those. Even the ones that look like they're actually coming from the authority
can still be spoofed. And I like those warnings on any message that comes from outside the bastion
of the organization. And so those little messages, those little tags, we call them mitered messages.
They're mitered onto the mail as it goes to the production server
to route the message.
If they're short and sweet, if they're clear and simple,
then people will read them and act upon them.
If they're verbose and lots of scary words and letters in them,
people just think that there's some sort of warning and they skip over them.
That's a problem with that sort of thing.
That's James Dawson from Donska Bank.
Last Line this morning released the results of a study that focused on NRDS, newly registered domains, with an evident COVID-19 theme.
newly registered domains with an evident COVID-19 theme.
They've concluded that there's less novelty about these efforts than might have been expected.
While fishing is up, it appears the criminals are devoting more effort to refreshing and re-emphasizing existing campaigns to match the times than they are in coming up with innovative approaches.
The UK's contact tracing app undergoing trials on the Isle of Wight is attracting further skepticism about its efficacy.
While download rates during the trials have been reported to be satisfyingly high,
Computer Weekly reports that recent studies have cast doubt on the willingness of British users to install the app.
The existing NHS app, not the contact tracing app, but rather the app through which patients access health care data and book appointments with their doctors,
is being considered for adaptation into an immunity passport, the Telegraph writes.
According to the app's developer, iProve, addition of facial recognition software to the tool could be used to verify the identity and immunity status of users.
could be used to verify the identity and immunity status of users.
Finally, some security advice for military and intelligence professionals.
Treat beer as a commodity and be content.
Bellingcat points out the risks of using the Untapped app to rate brews.
You can be tracked.
Untapped engages in what Bellingcat calls meticulous location tracking,
showing the locations where the users consumed the beer they were raiding. It's not so much that Untapped is irresponsible.
In fact, Bellingcat describes the app's privacy settings as being pretty decent.
It's just that it's possible to correlate locations and movements with other social
media, and as is almost always the case, people want to upload pictures of the places where they're enjoying themselves.
So resist the temptation, military and intelligence professionals.
Enjoy your beer responsibly and privately.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast.
Hello, Joe.
Hi, Dave.
We have seen stories coming from many, many different directions
about this new attack that is being called Thunder Spy.
Yep.
And this has to do with Thunderbolt ports.
You and I have been looking at some research from the folks over at Duo,
but this is being written about all over the place the place. What is your take on this? First of all,
can you describe to us what's going on here? The research comes from a master's student at
Eindhoven University of Technology. His name is Bjorn Reitenberg, and I hope I'm saying that
right. But it's a vulnerability in Thunderbolt, and at the very root of the vulnerability is a design decision that the chips on a Thunderbolt controller do not run signed code.
So that's really the root of the problem.
So that means that if I can have physical access to that controller, I can change the software that runs on that controller.
And Thunderbolt is a protocol. I mean, I suppose it's probably more widely known with Mac users.
There's a whole generation of Macs that had Thunderbolt ports on them, and you use that for
things like external hard drives or external monitors. It's a sort of a high-speed
port. Right. It's a high-speed port. It's the same external port as a display port,
although more recent versions actually run over a USB-C port. I don't know. I'm not a big fan of
dual-purposing port designs. I think that's a bad idea, but, you know, that horse has left the barn
on this one. And that's just, I think that might just be me old man, but, you know, that horse has left the barn on this one.
And that's just, I think that might just be me old manning it, you know, going.
But yeah, I've used Windows computers all my life and Linux computers more recently for the past five years.
And I have never had a computer with a Thunderbolt port on it at all.
So it's not something that's all that common. This attack does require physical access to the device. Not only that, but you have to open the device up, and then you have to attach your own malicious device onto it to rewrite the
firmware on this chip. And because this chip runs unsigned firmware, you can run arbitrary code on
it if you can get that level of access. Yeah, and that's the part that I think people are drawing attention to here
is that the whole fact that you need access to the machine,
and this is commonly referred to as an evil maid attack,
where the notion is you've left your computer in your hotel room
while you've gone down to the bar or out to have a bite to eat,
and an evil maid can come in and do what they want to do with your machine.
or out to have a bite to eat, and an evil maid can come in and do what they want to do with your machine. And so people, I think, raise their eyebrows over the odds of that being an issue
for folks in their everyday lives. Yeah, there's an old saying we used to say,
physical access is root access, right? If I can touch a machine, I can do anything I want to it.
But one of the main protections against physical access being root
access is you can encrypt your hard drive, right? And that way your data at rest is secure. If
someone steals your laptop and they can't access it, then they can't get to the data. But apparently
with this attack, if someone steals your laptop while it's maybe in sleep mode and then they open
it up or they perform this malicious
attack on it they can actually get into all the files that are encrypted on your hard drive
because those those files have already been accessed by the operating system through the
encryption protocol right through whatever encryption workflow to access those files
because encrypted files are of no use to you unless you can actually access them when you need
to and you're authorized to right right so Right, right. So that's, I think, the biggest single interesting thing about this
is that if I have access to a computer
that I know has data that I want on it,
then I can get that data,
even if that data has been encrypted using whole disk encryption.
Yeah, yeah.
I guess a lot of the articles have pointed out
that more recent machines,
machines made in the past few years, don't seem to be susceptible to this.
So if you're concerned, it's a good excuse to upgrade.
Right.
to someone coming into your hotel room, for example, or your office or wherever, and using the physical access to alter that machine, then you're going to know about that. You're going to
have protections in place to try to minimize the likelihood of that happening.
Absolutely. You know, we've heard stories about people who have left, I think it was Kevin
Mitnick who told the story about leaving his hotel or his computer in his hotel and then
giving it to somebody else to work on it. And the person who was working on it said, why did you
open this up and tighten the screws down so hard? And he said, I didn't do that.
And somebody had done that to his computer. I think that was Kevin. But if you know who that
is, if you know that you're that kind of person that is at risk for that, then yeah, you're going
to do, you're going to take other measures. Yeah. It's interesting that they make
the point in one of these articles that while the odds of someone falling victim to this may be low,
it's still a good thing that we know about this because it advances our knowledge of types of
attacks that we need to be aware of. Right. It is interesting research. And Intel should actually,
and I think they probably are in the future,
design their chips to only run
with signed versions of their firmware.
That should be standard security practice by now.
But, you know, it's going to take some time
to implement these practices across all this hardware.
And that hardware has to age out.
But over time, we'll move in a more secure direction
against things like this. Yeah, absolutely. All right. Well,
Joe Kerrigan, thanks for joining us. It's my pleasure, Dave.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.