CyberWire Daily - Cyber tensions and cyberwar. China’s influence ops against Taiwan apparently backfire. Maze gang goes for doxing. SIM swapping. FBI promises FISA Court it will do better.
Episode Date: January 13, 2020The FBI reiterates prudent, consensus warnings about a heightened probability of cyberattacks from Iran, but so far nothing beyond credential-spraying battlespace preparation has come to notice. The U...S Congress mulls the definition of “act of war” in cyberspace. Taiwan’s president is re-elected amid signs that Chinese influence operations backfired on Beijing. The Maze gang doxes a victim. SIM swapping enters a new phase. And the FBI promises the FISA Court it will do better. Ben Yelin from UMD CHHS on a Washington Post story about college campuses gathering location data on their students. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The FBI reiterates prudent consensus warnings
about a heightened probability of cyber attacks from Iran,
but so far nothing beyond credential-spring
battle space preparation has come to notice.
The U.S. Congress mulls...
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Do you know the status of your
compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
with Black Cloak.
Learn more at blackcloak.io. enters a new phase, and the FBI promises the FISA court it will do better.
Coming to you today on Assignment in Seattle, Washington,
I'm Dave Bittner with your CyberWire summary for Monday, January 13, 2020.
The U.S. FBI warned again of a heightened likelihood of Iranian cyberattacks, according to CyberScoop.
The bureau points to increased reconnaissance and scanning, but also notes sensibly that scanning from an Iranian IP address is not necessarily hostile, nor necessarily an indicator of an attack.
The bureau's warning is consistent with conventional wisdom.
A Washington Post poll of security industry leaders
reports the same concerns.
Beyond last week's minor website defacements
by sympathetic hacktivists, however,
active attacks have yet to materialize.
Forbes suggests that Iran is for the moment
on the back foot.
Protests in that country currently preoccupy
its security forces, Reuters reports,
with the immediate cause of the street demonstrations being the shootdown of Ukraine International Airlines Flight 752 on January 8, for which Tehran acknowledged responsibility Saturday.
The shootdown appears to have been fired on with lethal ammunition in addition to the riot gas Iranian authorities say they used,
but it's best to regard some of the images coming from Tehran with caution.
Such images have been altered in the past.
For all that, it does seem clear that the Flight 752 shoot-down has become a rallying point for widespread dissent.
The most worrisome Iranian activity from the U.S. point of view
remains the password-spraying attempts against North American utility networks, on which Ars
Technica has a brief update. The password-spraying campaign that the Magnalian Group has conducted
over the past year may seem noisy and indiscriminate, even sloppy, as researchers at
security firm Dragos tell Ars Technica.
But in this respect, nation-state hacking is more like the NFL than it is the college football polls.
There are no style points.
And the sort of work done by Magnalium is indeed a good way, Dragos said,
quote, to build up relatively quickly and cheaply multiple points of access that can be extended into follow-on activity at a point of their choosing.
Microsoft and FireEye have tracked similar activity by Magnalium.
It's worth noting, again, that Dragos, as a matter of company policy,
doesn't attribute threat groups like Magnalium to specific nation-states.
But the consensus is that Magnalium and allied groups are indeed working for Tehran
and that they're up to more serious activity than was on display in last week's Jejun hacktivist vandalism of lightly defended sites.
The U.S. Congress appears to be making heavy weather of rules of conflict in cyberspace.
The Hill suggests that Congress is particularly concerned with determining what counts as an act of cyber war. This question indeed doesn't have a clearly agreed upon answer. Some hostile activity in
cyberspace seems clearly to fall short of an act of war. Most intelligence collection, however
unwelcome it may be, falls short, for example. Some have drawn a line at the production of physical
damage, but again such damage would have to be significant.
Others draw the line at loss of life.
But the answer remains unclear, and Congress is mulling this over.
An 11th-hour surge of Chinese propaganda and disinformation
fell short of determining the results of Taiwan's presidential elections this Saturday.
The New York Times reports that Tsai Ing-wen won re-election
on the strength of support for continued independence, suggesting that Beijing's
influence campaign may well have backfired. President Tsai's re-election has been considered
a long shot as recently as a few months ago. It appears that the example of repression Beijing
has offered to Hong Kong both dispelled thoughts that a one-state, two-systems arrangement might be possible.
The mainland has not given up on recovering what it continues to regard as a breakaway province
and has reacted to the election results with warnings that reunification is inevitable.
Malwarebytes has found that a legitimate site collecting donations on behalf of relief efforts for those affected by Australia's brush fires
has been infected with Magecart's skimming software.
The same script has also affected a large number of other e-commerce sites.
The May's ransomware operators continue the new trend
in which extortion is steal data before they encrypt it,
the better to dox victims who decline to pay the ransom.
Southwire, a Georgia metal manufacturer, not only declined to pay,
but brought a troublesome lawsuit against people it was able to connect to a Maze news site operated out of Ireland.
The injunctions they obtained put a spoke in Maze's wheels briefly,
but the hoods are back up and operating out of a Russian hacker forum
where they've posted over 14 gigabytes of what they claim are files stolen from Southwire.
The Maze Gang puts it this way in somewhat more idiomatic English
than we used to see from the shadow brokers, quote,
But now our website is back, but not only that.
Because of Southwire actions, we will now start sharing their private information with you.
This only 10% of their information, and we will publish the next 10% of the information each week
until they agree to negotiate.
Use this information in any nefarious ways that you want.
Bleeping Computer, which is willing to chat with these types,
asked the gang for clarification and received only a reiteration of the initial
post with this explanation, quote, in retaliation we have something more interesting, end quote,
and here they insert a smiling wink punctuational emoji to show they mean business, and then go on
to say, but retaliation doesn't come if they begin negotiate with us. They decline to elaborate on what counts as more interesting.
Did we mention that our sympathies are entirely with Southwire?
They are.
Sim swapping appears to have entered an escalatory phase.
Motherboard reports that at least AT&T, T-Mobile, and Sprint
have been affected by recent RDP attacks
that enabled hackers to sim-swap individual users.
Most cases of sim-swapping had been accomplished by corrupting telco employees to do the swapping.
This is different.
It still depends on social engineering,
but in this case the employees are innocent dupes, not co-conspirators.
And finally, the US FBI responded to the court overseeing the Foreign Intelligence Surveillance Act
with a chastened acknowledgment that it needed to, and henceforth would,
do better in handling requests it makes of the FISA court to conduct surveillance of U.S. citizens.
The court had starchily requested an explanation of improprieties in the Bureau's filings to wiretap Carter Page,
a one-time advisor to then
presidential candidate Trump. As the New York Times notes, the Justice Department's inspector
general found that the FBI had cherry-picked and misstated evidence they submitted to secure
the wiretap. The FISA court was not pleased.
was not pleased.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization
runs smoothly and securely.
Visit ThreatLocker.com today
to see how a default deny approach
can keep your company safe and compliant.
And joining me once again is Ben Yellen.
He's the Program Director for Public Policy and External Affairs at the University of Maryland Center for Health and Homeland Security.
He's also my co-host on the Caveat podcast,
which if you have not yet checked out,
what are you waiting for?
Subscribe today.
Ben, always great to have you back.
This is an interesting story, I think, that caught both of our attention.
This is from the Washington Post, written by Drew Harwell.
This is colleges are turning students' phones into surveillance machines, tracking the locations of hundreds of thousands.
What's going on here?
So this was a real eye-opener for me.
So the opening anecdote is about this IT professor at Syracuse
who has placed seven small Bluetooth beacons around the auditorium
in which he teaches his class.
And when students enter the auditorium, their phones ping those Bluetooth devices,
and that's the way they register the attendance,
and they can get extra credit for registering their attendance in that way.
And then, of course, the stick to that carrot is if they're not there,
then the professor is going to know because their phone hasn't pinged.
And this gets to a broader trend in colleges across the country
about tracking students through their smartphones, through their devices.
There have been companies who have come up with systems in which the administration and
various professors can track students' college experience, how often they're going to the
library, whether they're missing meals at the dining hall, things that are somewhat
personal.
And when they talked in this article to school administrators, you know, school administrators
would defend this type of surveillance by saying, this is to protect the integrity of our student
body. It's to identify students who are potentially at risk. At risk of what? So if they're, you know,
never coming out of their dorm, you could potentially identify anxiety, depression,
potentially suicide.
If they're not showing up at the dining hall
and that's the only food option,
that's something that could be eye-opening
to an administrator or his or her parents.
If they're getting failing grades
and they're not showing up to class
and not showing up to the library to study,
then that's certainly eye-opening as well.
So you can understand why, from an administrator's perspective
and even from a perhaps overbearing parent's perspective,
this could be useful.
The reason it sticks out to me is if this gets broader,
if this goes beyond the limited number of universities mentioned in this article,
kids are not going to be able to be kids at college just because everything is going to be
tracked. And I just think you have to weigh the benefits of being able to identify risk among
students with the chilling effect this would have on kids being able to learn proactively,
chilling effect this would have on kids being able to learn proactively, to sort of be themselves,
discover themselves. So I think you have to take all of that into consideration.
Yeah, I can imagine. I remember a friend of mine, one of my roommates actually in college was a vocal music major. So he was a singer. And as part of that, he had private one-on-one voice lessons in the music department.
And he'd had a late night out, and he'd canceled his class, his one-on-one voice lessons,
and he happened to be standing in the lobby of the music building and mentioned to one of his friends,
oh my gosh, I'm so exhausted. I was out late drinking last night.
I just overdid it and looked over his
shoulder and there was his professor. Yes. Right. The cat was out of the bag looking down upon him.
He revealed, you know, the true reason why he wasn't able to go to his lesson.
I tell that story because I wonder now, could that professor look up, you know, hey, Joey, you know, you
weren't in your dorm last night until 2 a.m.
Where were you?
And you weren't in the library, you know, that sort of thing.
Yeah.
I mean, I think that's an absolute danger.
One thing that particularly is concerning about this is it's generally not an option
for students as to whether to comply
because they might have to download these applications to enroll in certain classes.
And that's, you know, this anecdote that started at Syracuse University, that's the case there.
It's a requirement of attending the course. So, you know, it'd be one thing if you were able to
opt out, although even then the act of opting out of the surveillance could perhaps itself be
seen as sort of suspicious and increasing a person's risk. And you wouldn't be, for example,
couldn't use the university's Wi-Fi, which is a... Yeah, you're going to want to use that. Yeah.
Yeah. You know, especially if you want to do schoolwork on campus. It doesn't allow people to
make the type of mistakes that we have all made in college if you take this tracking to
its logical conclusion. And I think as somebody who's quoted in this article says, it just kind
of pervades a powerlessness on behalf of students, that they don't really have much agency. They're
constantly being watched. And just the surveillance itself sort of implies
that students can't be trusted to actually show up and do their work,
which probably has an impact on the students themselves.
I will say another interesting element about this is it was created,
the application that they reference here was created for tracking student athletes.
And you realize why this was the concern,
that the person who developed the app
was a college basketball coach.
And for eligibility reasons
and all other sorts of reasons,
it's important for coaches to know
that their players are attending classes.
They have a lot at stake.
There's a big investment the university has made
in a student athlete, potentially.
Exactly.
Yeah.
Exactly.
So, you know, I can understand it in that context
of I would say the same risk factors apply. You know, we're not letting the athletes take
responsibility for their own lives. And instead, we're deciding to monitor them. But I can
certainly understand when the school has invested so much in a student. You know, two things about
this. One, it strikes me that this is a case of just because we can doesn't mean
we should absolutely yeah this is probably the best case of that that we yeah that we've talked
about and the other one is that i'm really resisting the urge to say back in my day
barefoot up and down the hill in the snow to my class that's right it's uh in the pre-internet
days of of college um uh back when uh things were awesome and we did what we wanted to and our parents had no idea.
Yeah, exactly.
And, you know, I could legitimately tell my parents I was in the library to 2 a.m. last night when I was playing Mario Kart, you know, in my dorm room.
And you know what?
Like, people end up having very successful lives even when not going to the library
until two in the morning.
And so to use that to identify a risk score for a student
at a college just strikes me as something
that should give us some pause.
But I do think this was a fascinating article.
It's something that we're going to have to track
because it said in the article it's logged something like 1.5 pings from student devices across the country at over 40 separate schools.
So it's getting more and more prevalent.
The application is called Spotter EDU.
Yeah, this is certainly a story I think you and I are going to be following in the future.
Well, it's from the Washington Post.
It's titled, Colleges are Turning Students' Phones
into Surveillance Machines,
Tracking the Locations of Hundreds of Thousands.
Ben Yellen, thanks for joining us.
Thank you.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Our AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.