CyberWire Daily - Cyber espionage. Russia tries Web autarky. The US will investigate TikTok. A bad keyboard app is out of Google Play but still in circulation. Crime comes to e-sports. Happy hundredth, GCHQ.
Episode Date: November 1, 2019FireEye warns of Messagetap malware and its spying on SMS. NSO Group’s Pegasus troubles seem to be expanding. Russia prepares to disconnect its Internet. The US opens a national security investigati...on into TikTok. An Android keyboard app is making bogus purchases and doing other adware stuff. E-sports draw criminal attention. And happy birthday, GCHQ. Robert M. Lee from Dragos on why it’s important for him to set aside time for teaching. Guest is Phil Quade from Fortinet on his recently published book, The Digital Big Bang, which makes an analogy between the Big Bang that created our Universe, and the explosion of bits & chaos in humankind’s age of cyber. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/November/CyberWire_2019_11_01.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
FireEye warns of message tap malware and its spying on SMS.
NSO Group's Pegasus troubles seem to be expanding.
Russia prepares to disconnect its
internet. The U.S. opens a national security investigation into TikTok. An Android keyboard
app is making bogus purchases and doing other adware stuff. Esports draw criminal attention.
And happy birthday, GCHQ.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 1st, 2019.
FireEye continues to chew on APT41, Double Dragon, the PLA spies who moonlight as crooks, or vice versa.
In a report issued yesterday, the researchers described the threat group's message tap malware.
The tool monitors and collects SMS traffic
from specific phone and IMSI numbers.
It also watches for specific keywords.
Message tap has been deployed in a Chinese government espionage campaign
against high-value or high-payoff targets,
including dissidents,
journalists, and selected foreign officials. FireEye calls the approach a combined focus on
upstream data and targeted surveillance. The attention NSO Group's Pegasus tool has
attracted from WhatsApp and Citizen Lab has flushed some additional surveillance activity.
Reuters reports that Pegasus has been used against government officials in several countries.
The Israeli government denies any involvement.
The story is still developing.
Roskomnadzor, Russia's Internet Authority,
today began installing the tools necessary to disconnect the country's Internet from the global web,
should the government decide it needed to do that.
The plans for an autarktic web have been in place for some time.
Why disconnection is attractive to Moscow is obvious.
It would make censorship and information control easier, for one thing,
and it might also reassure Moscow that its disconnected networks were safer from foreign attack.
What the disconnection will mean in practice remains to be seen, as SC Magazine points out.
There are powerful commercial forces that tend to operate in favor of an internationally open Internet,
but Russia has resisted the lure of commerce before, and it might be able to do so again.
In any case, the experiment has just begun and will bear watching.
again. In any case, the experiment has just begun and will bear watching.
The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency,
CISA, yesterday released details of the North Korean Trojan Hoplite, and that's Hop-L-I-G-H-T.
This Hoplite is not to be confused with an ancient Greek heavy infantryman. Hoplite opens a back door in affected machines,
through which hidden Cobra can crawl at will.
Washington's warnings about Huawei and ZTE are well known,
as are the strictures against various Chinese manufacturers of commercial drones.
The Department of the Interior, for example,
has just decided to ground its 800-strong drone fleet,
most of which is manufactured in whole or in part by Chinese firms.
Interior cites security concerns as the basis for the grounding.
And there have been rumblings inside the Beltway that TikTok is also bad news.
Those rumblings became semi-official today,
as the proverbial sources in a position to know tell Reuters that the Committee
on Foreign Investment in the United States has opened a national security investigation into
TikTok's owner, Beijing ByteDance Technology Company, and its $1 billion acquisition,
the U.S. social media app Musical.ly, two years ago. What specifically they're looking into isn't
yet known, but members of Congress
have expressed concerns over the possibility that TikTok could become a counterintelligence
threat in the U.S. Upstream Systems warns that the Android keyboard app AI.Type is quietly making
unauthorized purchases of premium digital content, racking up a cool $18 million in fraudulent potential charges.
And those are just the bogus charges Upstream's SecureD mobile platform intercepted and blocked.
AI.type represents itself as a free, fun keyboard app, great for people who like to use emojis.
But the only emoji this one calls to mind is the poop emoji.
Not only will it buy digital content you didn't order and probably don't want,
but AI.type also collects information about the infected user's actual preferences and purchases.
And, of course, it does the usual adware shtick of serving up invisible ads and collecting phony clicks.
Upstream recommends, of course, that you not contribute any more downloads to this malware.
It's already been downloaded more than 40 million times.
Google removed AI.type from the Play Store back in July,
at which point the malware's activity spiked for about a month,
then reverted to the mean, where it remains.
Watch your bills for inexplicable charges,
especially for data you don't remember buying,
and keep an eye on your mobile devices.
If they're behaving oddly, look more closely. charges, especially for data you don't remember buying, and keep an eye on your mobile devices.
If they're behaving oddly, look more closely.
Trend Micro notes a cresting wave of criminal cyberattacks on esports. These have become big business, estimated last year to have become a billion-dollar industry, and money draws criminals
as rotting meat draws flies. Esports are pursued recreationally and professionally,
and colleges and universities have established esports teams
to go along with their football, basketball, and beer pong teams.
We're just kidding about the beer pong.
As far as we know, that's not risen above the level of a club sport.
In the U.S., the NCAA, the National Collegiate Athletic Association,
considered bringing esports under its regulatory scrutiny, In the U.S., the NCAA, the National Collegiate Athletic Association,
considered bringing esports under its regulatory scrutiny, but for the time being, at least, has shelved the idea.
But plenty of NCAA schools haven't.
Some even offer scholarship to good gamers,
and it seems surprising that those don't appear to figure in the Varsity Blues scandal.
Go figure. You'd have thought Hollywood would have been up on esports.
The criminality is, as you might expect, opportunistic, running from selling hacks
and cheats on the black market, to rigging games, to DDoSing tournaments or holding them up for
ransom. All of this is in addition to the trade and various in-game purchases as a means of
laundering money. Trend Micro sees no near-term end in sight,
so hold on to your loot boxes.
And finally, happy birthday to the oldest of the five I's.
GCHQ turns 100 years young this week.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, it's always great to have you back.
I wanted to touch today on teaching.
That is something that I know is important to you.
And it's interesting to me that as your company has grown, and I think Dragos is up over, what, 150 people now,
it is still something that you carve out time
throughout your year to teach.
Why is that? What's the value there for you?
Yeah, the thing that I like about Dragos,
the thing that I like about the industrial security space
is the community feel.
And I think that's present in a lot of InfoSec circles,
but I know it's really present in ICS security for me personally.
And I've always felt that the answer can't just be technology or building a company.
It's got to be building a community.
And actually, I started the class.
So I built the SANS ICS 515 class with the active incident response, basically getting in your industrial networks and hunting and responding to attacks.
I built that years before I built Dragos. actually um built that when i was still in the
military and the intelligence community because we didn't have people to pull from and so i you
know i got challenged by one of my mentors michael sante to go build this class so that we could
onboard more people in the community so we could start trying to solve this challenge and as dragos
has expanded i definitely had to cut back.
I used to teach 10 times a year, 15 times a year,
which is each a week-long class, and that's a lot of time to take out.
As the demands of the company have increased, I've had to cut back.
I think next year I'm only going to be teaching five or six times.
But it still can be a drain to do it,
because the company's moving very quickly,
and there's tons of things to do.
But I find it really important to do for really three big reasons. One, very selfishly,
it's like my therapy. Being able to break out of the CEO role and still go be the practitioner
that shares lessons learned and case studies with anybody, including our competitors that
come to the class, but just trying to advocate to the community about what the community needs to be irrespective of vendors. Number two is I think it's incredibly important
to kind of expose the lessons learned that we're getting through Dragos to an audience that isn't
bound to a vendor training. So instead of necessarily just bringing everybody into Dragos,
we've got our own training classes and similar, but there's a place and a role for that. But then there's kind of that vendor agnostic.
I don't even have our technology and stuff in the class. It's just a vendor agnostic way to
just share true lessons learned to the community. So I think it's useful from that community
building perspective. And then third, I do take and consider the fact that I'm the CEO of the
company. I don't think that title has a whole lot of weight, but some people do. And I don't want my employees and folks that are
coming in going, oh, well, Rob is always so busy, so we have to be busy. I like the idea that
showing people, hey, I, even in running the company, can break away to go engage the community
in a non-vendor way. I challenge you to do the same. Go figure out ways to go teach at a local university.
Go speak at a local conference.
Do things that aren't there for business purpose.
They're just there for community engagement.
Go be better.
And I think in setting that example, hopefully we will always continue to have that culture
at Dragos. Do you continue to find value in interacting with people who are still at a very early stage of their experience here?
To have those fresh sets of eyes come in, does that provide you with a unique perspective?
Oh, absolutely.
And that's the beautiful thing, too, about SANS is I'll get not only absolutely new people in the field, but you also get seasoned professionals that come to those classes, you know, 500 level class.
So maybe somebody career changing over or even something that's been doing it for a while and they're just trying to figure out if they've been doing the right things.
And I think the reason you teach above everything is a love of the topic.
And that means that you should be a constant learner. Like
I learned more from the collective that is my students than any of them individually ever
learned from me. And so the opportunity for me to just sit there and share in their experiences
and be grounded in that community consistently, that's super valuable for me personally.
All right. Well, Robert M. Lee, thanks for joining us. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
My guest today is Phil Quade.
He's the Chief Information Security Officer at Fortinet
and author of the recently published book, The Digital Big Bang,
The Hard Stuff, The Soft Stuff, and the Future of Cybersecurity.
The cosmic big bang of 14 billion years ago, which launched our universe,
we ultimately discovered that there are some fundamental elements and forces within it,
which we ultimately characterized in some sciences called physics and chemistry.
And humans really started to
hit their groove development-wise when we learned those sciences and starting obeying those laws
and understanding the elements that govern them. I look at the past 40, 50 years, and I think
it's a great analogy. I think we're in the midst of a digital Big Bang. There's a massive amount
of information just exploding from our culture we need to understand
what are the fundamental forces the fundamental elements within this digital universe and we need
to identify the core sciences that govern those digital big bang forces and put them to use and
then start flourishing in our digital universe you start off the book even in your introduction
you cover uh what we got right and what we got wrong what are
you talking about there yeah so so let's start with um the precursor which is the fundamental
elements which is you know in in the case of the the universe big bang cosmic big bang it's things
like gravity matter energy time things like that well in the digital big bang the fundamental
elements of which all cyber security needs to based around, those are things like speed and connectivity.
Right. So when the Internet was, quote, created 40, 50 years ago, it was about those solutions based around those fundamental elements of cyberspace,
which is doing things as fast as possible and doing so in an integrated way since the Internet is fundamentally an integration function.
But back specifically to your question, you asked, what are the things that we kind of got wrong collectively when the Internet was first started up a few decades ago, several decades ago.
One of those things was authentication. The original internet was conceived mostly as a
collection of colleagues who knew each other, so personal authentication and data authentication
wasn't that important. We've been paying the price for that for a really, really long time. Almost
everything on the internet today, all the the flaws of the internet today are based on lack of trustworthy authentication of people, machines, of information.
So that first section of the book that you asked about talks about the elementary shortfalls that
we just never got right from the beginning. A few that me and my colleagues listed were
authentication, patching, and training. One of the sections of the book deals with fundamental strategies.
You call it proven strategies that don't let us down.
One of them is an old favorite, especially from the place I used to work for.
So before coming to Fortinet, I spent about 30 years in the intelligence and national security community.
And in those jobs, we spent a whole lot of time getting cryptography right,
becoming masters of cryptography. And
cryptography, of course, is a means to provide some really strong mathematical principles to
ensure that information is kept private and to ensure information isn't changed and information
is authenticated. And it turns out that that's one of the three fundamental strategies that me
and my colleagues write about in the Digital Big Bang
as things that absolutely need to be leveraged from the beginning.
Cryptography, access control, and segmentation.
If I could, I'd like to just say a couple words about segmentation.
It's one of the earliest of cybersecurity strategies,
and some people may mistakenly think that early or age of that strategy means it's become less important.
I personally think the opposite's true, that segmentation has become the primary cybersecurity strategy of our day, right?
10, 15 years ago, the preeminent strategy was about creating a big border around our networks, either a physical or a logical one,
and then doing some active defense of that boundary around our networks, either a physical or a logical one, and then doing some active defense
at that boundary around our networks. But we all know that those boundaries have disappeared because
of things like wireless and mobility. And so what we need to do now really, really well is segmenting
off our assets so we can avoid breaches, so we can minimize their scope, and then we can recover
from them quickly. So segmentation is really important
to get right. So that's why we call it one of the fundamental strategies.
You know, I can't help thinking, given your title, about the notion of the cosmic calendar,
which is something that I think Carl Sagan popularized back when he did his original
Cosmos book and TV series, which was this notion that if you stretched out time across a calendar
and you started with the Big Bang, you said that was January 1st,
that it's only the last moments of the last day of that cosmic year
that humans show up in the course of evolution.
I'm curious, where do you suppose we are on a cybercosmic calendar?
How far along are we in the cosmic evolutionary scale?
Love the questions. I think that we're in the pre-scientific age of the digital Big Bang. So
let me just, as you just did, just go back in history just a little bit. Back in the Middle
Ages, we invented explanations that weren't based on science.
And we feared them. It often paralyzed us. And it wasn't until we started, I'll say,
admitting our ignorance that we, in fact, didn't know a lot about the world that we ultimately
started to really flourish as a culture. That's when we started the age of exploration.
At the time, ocean explorers were worried about falling
off the edge of the world. You know, today, astronomers are looking at the edge of the
universe. What a fantastic amount of advancement we've made as humans just in the past, you know,
a few hundred years or so. Now, in cybersecurity, we're starting to worry about the cyber edge,
right? The edge is about to get a whole lot more interesting to those doing cybersecurity. It used to be the desktop, then the laptop, then a tablet, then
the smartphone. But as we all know, the new definition of the edge is going to be the
explosion of devices that sit out there in the physical domain. I call it the sci-fi,
cyber physical integration. These are the IoT devices that are instrumenting everything
from our coffee makers to our health monitors to our automobiles. So the edge in cybersecurity has its own meaning,
and we're just about to start exploring that edge. So to answer your question, I think that we're
just exploring entering the scientific age of cybersecurity, and which is why this book,
The Digital Big Bang, advocates treating
cybersecurity like a science. Let's admit what we don't know. Let's observe what works well and why,
and rigorously and methodically adopt the things that work well and then keep building on the
shoulders of those successes. So it's trying to inspire people to recognize their moment we're in.
90% of all data has been invented just in the past few years.
We're in the midst of a digital Big Bang.
That's both a huge opportunity and a responsibility for us
to set the course for a bright future.
So it's designed to be a little bit inspiration
and a little bit call for a little bit perspiration.
You know, I suppose I can't help wondering, you know, is it in our best interest to look
to the sky for that cybersecurity version of an asteroid, you know, for some sort of
extinction event? Is that something we need to be mindful of as well?
Great analogy. I wish I'd worked that one into the book. There are some fear mongers out
there that say that things like AI is going to be our doom, or even that the adversary is going to
shut down, quote, the grid. I think both of those are a little bit too much fear mongering, meaning
AI is not a bad thing or a good thing on its own. It's just
a technology. People need to know how to best leverage that technology and use it for good. So
I don't see that as an asteroid. Now, the threat's a little bit one where we need to keep our eye on
as you know, right? We earthlings look out into near space for evidence that a future asteroid, an asteroid
is going to hit us in the future. I think we need to do the same about threats, right?
I'm not so worried about our entire power grid going down. Our electric grid is much more better
segmented than most people understand and pretty resilient. But we do need to understand what
nation states aspire to do to us, both on the electric grid and our other critical infrastructure.
So to answer your question, I do think that the asteroid analogy is a pretty good one,
and I think that we need to do a better job of keeping our eye on those asteroids figuratively
to protect our critical infrastructures.
That's Phil Quaid from Fortinet.
The book is titled The Digital Big Bang,
The Hard Stuff, The Soft Stuff, and the Future of Cybersecurity.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. We'll see you back here tomorrow. needs AI solutions that are not only ambitious, but also practical and adaptable. That's where
Domo's AI and data products platform comes in. With Domo, you can channel AI and data into
innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate
your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.