CyberWire Daily - Cyberattacks and intelligence trade-offs. TrickBot’s new interests. Fancy Bear versus machine learning. Facebook looks for more ad transparency. Retadup take-down.
Episode Date: August 29, 2019Senior US officials say the June 20th attacks on Iranian networks helped stop Tehran’s attacks on tankers in the Arabian Gulf. TrickBot seems to be going after mobile users’ PINs. Fancy Bear has t...aken note of machine learning and modified her behavior accordingly. Facebook revises its rules to achieve greater transparency in political and issue advertising. A multinational takedown cleans up the Retadup worm infestation. Ben Yelin from UMD CHHS on the proliferation of privately owned license plate readers. Guest is Martin Zizi from Aerendir on biometric security technologies. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/August/CyberWire_2019_08_29.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Senior U.S. officials say the June 20th attacks on Iranian networks
helped stop Tehran's attacks on tankers in the Arabian Gulf.
TrickBot seems to be going after mobile users' pins.
Fancy Bear has taken note of machine learning and modified her behavior accordingly.
Facebook revises its rules to achieve greater transparency in political and issue advertising.
And a multinational takedown cleans up the Redidup worm infestation.
takedown cleans up the Redidup worm infestation.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday,
August 29th, 2019. Senior American officials have described the June 20th U.S. cyber attack against Iranian targets. The New York Times says the officials see the operation as a success.
In addition to taking down military networks,
the cyberattack wiped out a database essential to the Islamic Revolutionary Guard Corps'
operations against tankers in the Arabian Gulf.
The Times report says that Iranian military and paramilitary authorities
are still trying to recover their systems.
The June 20 attack was chosen as non-lethal and indeed non-kinetic retaliation for Iran's shoot-down of a global Hawk drone operating in what the U.S. and the rest of the civilized world considered international airspace.
Iran disagrees, claiming that the drone was flying in Iranian
airspace. The cyber attack was authorized after U.S. President Trump rejected proposals for
retaliatory airstrikes. The operation against the Revolutionary Guard is seen as an instance of the
more assertive U.S. military posture in cyberspace, what Director NSA and Commander U.S. Cyber Command Paul Nakasone calls
persistent engagement. There's some discussion of whether the cyber attack was worth it,
and in that respect it's worth considering what people take to be the inevitable downsides of
this sort of operation. First, there are concerns that attack code might be re-engineered and
repurposed by the target.
This concern hasn't been raised much in the context of the June 20th strikes.
Second comes the downside that's attracted more attention,
including, according to reports, attention within the U.S. government.
Using a capability of this kind alerts the target to one's presence in its networks,
and so the U.S. might have exposed and lost the access it evidently had to Iranian systems.
This would be an instance of the familiar complaint about cyber-attack tools.
They're generally held to be not so much use-it-or-lose-it capabilities as they are thought to be single-shot weapons that, once employed, can't reliably be used again.
There's something to these considerations, to be sure,
but any military attack decision is, or at least ought to be,
the conclusion of a cost-benefit calculation,
and in this case the benefits were held to outweigh the costs.
That, at least, is the view of the officials who talked on background to the Times.
It's probably also the view of tanker operators in the Gulf.
Consider a familiar problem from the older discipline of electronic warfare.
You've found an enemy radio network.
Do you jam it?
Do you destroy the emitters themselves with artillery or airstrikes?
Maybe.
Those would certainly deny the enemy the use of that network. On the other
hand, if the enemy network is transmitting a lot of ill-conceived orders that are misdirecting the
enemy forces, why not let it continue to operate? Or, to take a case closer to the one believed to
exist in the Gulf, if you're reading all the enemy traffic and if the stations on that network are
well-informed, chatty, and poorly secured,
then it might well be worth letting them keep talking.
In this case, the decision seems to have been that the benefits of attack outweighed the costs an attack might exact in terms of access.
We'll leave it at that, and just add, good hunting, Cyber Command.
Researchers at SecureWorks report that TrickBot is exhibiting new functionality
that poses a particular threat to mobile users.
The malware now seeks pins that could be used to give GoldBlackBurn,
the threat group behind TrickBot, the ability to access voice and text communications.
Code injected through user interaction with a bogus sign-in page initiates
TrickBot's record function. It's easy to grow accustomed to the convenience of biometric
security features on our mobile devices. I know I have. But some suggest it's important we not
allow ourselves a false sense of security. Martin Zizi is founder and CEO of biometric security company
Arendir Mobile.
If you have a biometric database,
you know databases are essentially
breachable, hackable,
if they are of interest.
So, UI can survive
the loss of a credit card,
the loss of a social security number.
We lost a few,
but in the end,
we're bitching about getting our credentials back on ship,
and we move on.
If you lose your biometry now and in the future of the IoT,
your loss is perpetual,
because if you lose your face or your finger imprint,
there is no way this side of the galaxy
that you can get a new face or new fingers.
So, databases are no-go, for example.
Another is that some of the technologies are perfectly fine to unlock a phone or to make
a small buy on Amazon or wherever, you know, transfer money from phone to phone.
But they don't meet the stringency criteria of unhackability, unspookability, and even
reliability that are needed.
Because let's say if a biometric works at 95%, it's fantastic as a product, and I use them.
But 95% if I do bank transfer is not okay.
I need 99.5% at least.
And even there, I need probably two factors to be ensuring that you don't get access to my money
and I don't get access to my money and I don't access to yours.
So is this a matter of using a combination of things to increase the reliability and security?
It might, but it's against give a full sense of confidence. If you use signals or information
that are non-related, it's a plus. But look at the pseudo solution.
I could say the way you walk, you gate,
the way you hold your phone, your hands, where you live,
you have one girlfriend, two girlfriends, one wife. Do you go doing ice skating on Saturday?
You aggregate data and then you build profile.
And these profiles that are essentially multi-factor
can maybe get at your identity.
But there are two problems with that.
First, it's a statistical analysis and it takes weeks to reach 80-85% of accuracy.
And imagine how much more time you need to reach a higher level of safety.
And second, it's darn incompatible with democracy.
You understand, we're not cattle to be tagged from cradle to tomb.
It raises a new question.
In which society do you want to live?
Do we want to be at the gate of the airport banned because we have a moving violation?
You understand?
So I think I'm not advocating for a solution versus the other.
advocating for a solution versus the other.
I think it's about time that the consumer,
that the people and everyone involved,
because it concerns us all,
start to understand and make the informed choice.
Because it's all about choice and it's all about giving to people
the access to the right information
so that they can choose,
oh, I'm fine with face recognition, for example.
Besides the fact that it's funny to open my phone with it,
I'm fine with it because I see no problem with that.
But then I've been at least told the problem.
That's Martin Zizi from Erendeer Mobile.
BlackBerry Silance's Threat Vector threat research team
has released new research into a malware sample used by APT28, that is FancyBear, Russia's GRU.
ThreatVector's new research details analysis of samples U.S. Cyber Command uploaded to VirusTotal.
They found that the malware is, quote, a multi-threaded DLL backdoor that gives the threat actor full access to and control of the target host.
Fancy Bear's stripped-down malware is surrounded by a great deal of benign code,
and ThreatVector thinks the new approach represents a response to widespread defensive use of machine learning.
Facebook has announced a revision to its rules concerning political advertising.
The rules will govern both campaign ads and advocacy ads
concerning social and political issues.
They aim at producing disclosures that would achieve greater transparency
with respect to who's sponsoring and paying for the advertising.
Finally, Avast has helped the French Gendarmerie
take down the Redidop worms command and control
infrastructure. Redadoop has been active over the past two years, but the coordinated action
took over the controlling gang's servers and had them send uninstall commands to approximately
850,000 infected Windows machines. A design flaw in Redadoop's code enabled the deletion, as Avast engineers discovered.
Redadoop has been a particular nuisance in Latin America,
with Venezuela, Bolivia, Ecuador, Mexico, Colombia, Argentina, and Cuba combining for 85% of the botnet.
It's been used for a variety of purposes, but over the past year, Redadoop has been mostly employed in cryptojacking.
So bravo Avast, and all credit to the Gendarme's Cybersecurity Bureau.
A side note on attribution, the skid who claimed responsibility for Redadoop
has been boasting in social media under the name Black Joker.
It appears that his identity may now be known.
Security researchers at Under the Breach
tracked the gentleman's spore through social media
and were able to find him using domain registration data.
Under the Breach told ZDNet
that the fellow appears to be a 26-year-old Palestinian.
His name is being quite properly withheld by the media for now,
but we imagine that his contact information
has been provided to the French authorities,
the FBI, and various other interested parties. edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Thank you. for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the University
of Maryland Center for Health and Homeland Security. Ben, it's always great to have you
back. We had a story come by from Slate. This was written by Josh Kaplan.
And the title was, License Plate Readers Are Creeping Into Neighborhoods Across the Country.
What's going on here?
So a startup company that specializes in automatic license plate reading has been selling their services to security companies that manage large apartment buildings. This article
takes place in New York City, where most of the large apartment buildings in the country can be
found. And one thing that's very interesting about this is while law enforcement has obviously used
automatic license plate reading to help solve usually serious crimes. This private security company, in conjunction with the managers of these large apartment buildings,
are actually using the license plate reading technology for more mundane tasks,
like figuring out whether somebody lied about getting hit by a car in a parking lot,
which would have relieved them of their rent payments for one month.
lot, which would have relieved them of their rent payments for one month. And I think the upshot of the story is that because the use of this technology has become ubiquitous and also very
cheap, it's becoming far more prevalent. And it's not just a high-tech law enforcement tool. It's
also becoming something that private organizations can use to monitor their users.
something that private organizations can use to monitor their users.
Now, I can see an apartment complex making a case for registering my car to make sure that I live there, if I am entitled to a parking place, that sort of thing. I don't know how I feel about them
tracking my comings and goings. You don't really have any legal leg to stand on here based on current Supreme Court precedent. We have a very unsettled view of the legality of automatic license readers. There's been some conflicting case law on it.
Law enforcement and private companies as well have the right to surveil you when you make yourself available in public.
And so it's not like they're going into your private garage and reading your license plate there.
They're doing it on public avenues. Of course, in the past, even when license plate reading technology became more prevalent, it was still expensive.
And it still required some level of police work to set it up and to do the tracking. Now, because it's so cheap and so
readily available, and the technology is much better, you can conduct this sort of routine
mass surveillance to figure out whether someone's been crashing on a couch in an apartment building
because their car's been in the parking lot
and they don't have a resident sticker in their car for a period of five to seven days.
So yeah, I mean, I think most people might expect that their license plate could be read
for serious law enforcement matters,
but not for mundane
property management business that people probably think is beneath the importance level for such a
technology. The public view doctrine was developed at a time when we were anticipating and thinking
of police spotting somebody darting down the street running, or some human intelligence source saw a
criminal suspect in a store at a time that a robbery took place. It's different when we're
talking about the routine collection of a significant amount of data, and it also requires
very little human capital. So I think what I'm trying to say there is that there's nobody
sitting in the apartment building, you know, firing up their camera and taking pictures of
license plates every three seconds. It's all automated. So it's conducted on a mass scale.
There really isn't an opt out for users. And my guess is that most people who live in these
apartment buildings where security
companies are using this technology are probably completely unaware that it's being used.
I suppose, though, I mean, it's fair to say there's upsides to this. If I'm an apartment
complex and someone is coming and dumping trash on my property or something like that,
this could make it easier to track someone like that down. Absolutely. I mean, it's a great tool for law enforcement. It's actually, I mean,
studies have shown that it has been an effective tool at solving both serious and petty crimes,
because you can pinpoint somebody's location based on where their vehicle was at a given time. So
there are absolutely benefits from a law enforcement perspective.
And from a private security perspective, they absolutely have an interest in seeing which cars are coming in and out of their property and when they're coming in and out and the duration of time
that that car is spent in that parking lot. So there are all sorts of routine reasons, many of
which are mentioned in this article, why a security company would be interested in that information. But once again, you know, are those benefits to these private
security organizations and to these property managers sufficient to justify the bulk collection
of tenants' real-time whereabouts? And I think that's kind of an unanswerable question. Yes, it does add a
level of convenience for property managers and for law enforcement, but I think that also comes
at an expense to personal privacy. Well, Ben Yellen, thanks for joining us. Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced
in Maryland out of the startup studios of DataTribe,
where they're co-building the next
generation of cybersecurity teams and
technologies. Our amazing CyberWire
team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar, Joe
Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.