CyberWire Daily - Cyberwar looms between Russia and the UK. Twitter and Facebook complete testimony, but inquiries continue. Unpatched MikroTik routers exploited. OilRig's new tricks.
Episode Date: September 6, 2018In today's podcast, we hear that the Novichok attacks have brought Britain and Russia to the brink of cyberwar. The UK will take its case to the UN Security Council. Twitter and Facebook have comple...ted their testimony on Capitol Hill, but investigation of tech's role in influence operations and public discourse continue. So do concerns about election security. Unpatched MikroTik routers are being exploited in the wild. OilRig shows some new tricks.  Joe Carrigan from JHU ISI on biometric scanners tagging travelers at the border. Guest is Robert Anderson from the Chertoff Group with insights on the encryption debate. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/September/CyberWire_2018_09_06.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Novichok attacks have brought Britain and Russia to the brink of cyber war.
The UK will take its case to the UN Security Council.
Twitter and Facebook
have completed their testimony
on Capitol Hill,
but investigation of tech's role
in influence operations
and public discourse continue.
So do concerns
about election security.
Unpatched micro-tick routers
are being exploited in the wild.
An oil rig shows some new tricks.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 6th, 2018.
The day's biggest story comes from the United Kingdom. We may be seeing something that amounts, almost, to declared
cyber war between the UK and Russia. British Prime Minister May told Commons yesterday
that the government had identified the attackers responsible for the Novichok nerve agent attacks.
Those attacks were an attempted assassination of a former GRU officer, Sergei Skripal, and his daughter Yulia, back in March.
Skripal had been living in the UK
after being exchanged in a spy swap with Russia.
He'd been working for British intelligence.
Prime Minister May named Alexander Petrov and Ruslan Borshov,
characterizing them as GRU operatives.
She said the attacks were almost certainly approved at a high level.
Other leading conservatives were equally direct.
The chairman of the Commons Foreign Affairs Committee, Tom Tugendhat,
said there's no doubt the attacks were state-ordered
and President Putin bears responsibility for a warlike act.
The prime minister said that
the full range of tools from across our national security apparatus
will be used against the GRU.
That full range of tools is understood to encompass
principally offensive cyber operations.
The Prime Minister briefed U.S. President Trump Tuesday,
Canadian Prime Minister Trudeau yesterday,
and has requested an emergency
meeting of the United Nations Security Council.
Russia has consistently denied any involvement in the Novichok attacks, demanding to see
the evidence and claiming that the incident is an Anglo-American provocation, probably
aided and abetted by the Czechs.
Essentially, no one believes this, certainly not outside of Russia,
and probably not within Russia either.
The two GRU officers named, and whose names Russian President Putin's foreign policy advisor,
Yuri Ushakov, told reporters,
do not mean anything to me,
will be prosecuted if British authorities can get their hands on them,
and GRU-associated organizations will face a range of sanctions,
but from what's being said in London, this won't be a simple matter of law enforcement or sanctions.
The story is still developing, but active cyber-offensive operations against Russia by the UK
and possibly the other four of the Five Eyes seem highly likely.
the other four of the Five Eyes, seem highly likely.
The encryption debate continues, highlighted by recent reports of a memo from the Five Eyes group, that's the US, UK, Canada, Australia, and New Zealand, demanding that service providers
create customized solutions tailored to their individual system architectures that are capable
of meeting lawful access requirements.
Many read that as being a backdoor. Robert Anderson is a principal at the Chertoff Group and previously
worked in the FBI. Now, I think my position on this, quite frankly, especially over the last
three years since I've been in the private sector and left the FBI after I retired, it's changed. You know, one of the reasons it has changed is because between running practices in the private sector
that respond to cyber breaches of, you know, personal identifiable information,
banking information, and a variety of other things,
I think that the tech companies that are producing different levels of encryption have a fiduciary responsibility to their clients to make sure that that can't be breached.
I think when you do put in back doors, and I've seen it a lot in the several thousand breaches that I've run for clients since I've left the FBI, it opens up risk to hundreds of thousands of people.
it opens up risk to hundreds of thousands of people.
So I think there really needs to be nowadays a new dialogue that's kind of started at the federal and state level,
especially the kind of leading technical companies around the United States,
to have a discussion on how can they help law enforcement obtain information that they may need either via warrant or other
means to protect this country, but at the same time, protecting the clients that have, you know,
employed them or hired them to hold their data secretly or in a secure manner. So can you take
us through what would that dialogue sound like? I think the first thing that you need to have a
start is there's a common ground. There's
a lot of information that, quite frankly, state, local, municipal law enforcements, and even some
federal law enforcement organizations really don't know how to mine. There's a tremendous amount of
open source data throughout the internet and through apps that people put on their phones
that can provide law enforcement with a put on their phones that can provide law
enforcement with a lot of information. It can provide law enforcement with location of an
individual, where individuals like to frequently shop or go eat. There's a variety of things that
without breaking the trust of the clients to keep their data secure, they can assist the law
enforcement organization on learning how to mine that data., they can assist the law enforcement organization on
learning how to mine that data. And whether it's mined through open sources or through a warrant,
I think that's a huge step in the right direction. Do you think there is a legislative solution to
this? If you had a, well, I remember certain levels of encryption used to be categorized as
munitions and it was,itions and was prohibited from being
exported. Is that a path to pursue or is that going to lead us nowhere?
Well, I think a couple of things need to happen, right? One is that the federal government's
IT infrastructure is lagging. It's way behind the private sector. And a lot of that is because the traditional rules and laws that are set in
place to procure IT or any type of really infrastructure, it takes a very long time.
So between the bidding process, the multiple bidders, getting it funded, usually in the second
or third fiscal year from when you started, by the time you have the IT infrastructure
installed, it's already very much out of date when you're trying to keep up with the private sector.
And whether that's defense contracting, banking, or any other type of private sector needs,
historically, the private sector moves much faster. They don't have all those rules in place. So
one thing is I think you need the level of playing fields. And I think the Congress and Senate can help on this. I think they can help
the federal organizations that need updated IT modernization to allow to procure and install
that equipment much quicker and faster. That in turn will help these organizations actually
communicate to private sector companies and organizations much quicker and on an equal
basis. And I think that's a huge start to this. I think one of the other crucial things that tech
giants can help with, and again, it stays clear of actually decrypting or opening back doors,
but setting up training on digital evidence collection that I can guarantee you that there may be parts of the federal or state law enforcement community may understand.
But overall, you know, we have 70,000 police organizations across this country.
When you go to most countries, they have one, maybe two, because it's a giant federal police force.
They have one, maybe two, because it's a giant federal police force. It's a lot harder to make sure that everybody in the country that we live in actually have the ability to do these types of digital investigations. So I think that would be a huge help. And again, it doesn't break that barrier of encryption that the clients are expecting from these companies. That's Robert Anderson from the Chertoff Group.
Hearings on social media held yesterday by the Senate Select Committee on Intelligence elicited from Facebook's Sheryl Sandberg her example of what might companies like hers
be expected to do against foreign influence operations.
Suspend inauthentic accounts, the way Facebook, Google, and Twitter did when FireEye tipped them to such accounts' links to Iran's government.
She said, quote,
But larger questions about disinfecting online nastiness remained unanswered, quite possibly because they're unanswerable.
The U.S. Department of Justice announced that it will be looking at social media providers
for signs of suppressing certain kinds of expression and for engaging in anti-competitive practices
We turn to notes on evolving threats that industry researchers have had their eyes on recently
Kihu360 warns of multiple malware attacks spreading across vulnerable, unpatched micro-tick routers.
They've identified more than 370,000 vulnerable devices.
The vulnerability in question was patched in April,
so this represents another case in which threat actors are exploiting known issues.
Micro-tick routers are widely used and have been the subject of several waves of attack.
One of the better-known earlier waves involved exploits WikiLeaks publicized in its Vault 7 leaks.
Palo Alto Networks reports that Iranian threat actor Oil Rig has adopted a more evasive variant of the Oops IE Trojan.
Oil Rig has been active against government targets in the Middle East for some time,
against, to be specific, regional rivals of Iran.
It's shown considerable resourcefulness in adapting commodity tools
and adding useful functionality as it becomes available.
It's now doing so with its incorporation of the OOPS-IE Trojan.
This malware starts its execution by conducting multiple checks
for virtualized environments and sandboxes.
It checks such items as CPU fan information, a first for Oops IE,
temperature, mouse pointer, hard disk, motherboard, time zone, and human interaction.
In checking for time zone, it executes only if it finds itself in five specific time zones.
Then the Trojan sleeps for two seconds,
moves to the app data folder, and ensures persistence.
How is OilRig spreading this ingenious payload?
Through a familiar and well-proven method.
Spear phishing.
The Billington Cybersecurity Summit is running today in Washington, D.C.
As it always does, the summit will feature leaders from government and industry sharing their perspectives on threats, risks, innovation, and investment.
You'll find our live tweets from the conference in our Twitter timeline, if you haven't seen them already.
And we'll have more on the proceedings in upcoming issues of The Cyber Wire.
wire. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute,
and he's also my co-host on the Hacking Humans podcast,
which if you are not listening to and subscribing to, shame on you.
So, Joe, welcome back.
Hi, Dave.
So, interesting story came by.
This was written by Hillary Gregonis from Digital Trends.
And this is a biometric scanner catches imposter at U.S. airport on just third day of use.
Right.
So this is the Customs and Border Protection folks.
What's going on here?
So what's happened, somebody comes in and they present a Brazilian passport.
Right.
Something gets flagged and the guy gets searched and they find his actual passport, which is actually from the Congo, in his shoe.
All right.
So what has happened is this guy has tried to commit a crime.
He has tried to come into the country illegally with a falsified document.
And so presumably the system scans his face.
Scans his face, the picture on his passport.
I would guess the way this works is the picture on the passport
and the face that the human has are compared by the agent sitting there.
Right.
At CPB.
If this guy's coming in with a fake passport with his picture on it,
then it has to be the case that the U.S. government has access to the original picture.
Right, from Brazil.
From Brazil.
The person whose name is on that Brazilian passport.
So we must have some sort of sharing agreement at our borders with those databases.
Which would make sense to me.
That there's some kind of information about that might just have passport numbers and names and pictures in a database. Countries that are our
allies. Now. So it's working as it should be designed, right? No problem. People, you know,
potentially people up to no good coming into our business or into our country rather. No problem
here. Yeah. I don't know how I feel about this. Okay. Because I don't recall anything when I applied for my passport a number of years ago saying that my information would be distributed to foreign governments.
And that is apparently what has happened.
I mean, that's the kind of thing I can imagine being some part of some treaty.
Probably is.
Information, border protection, information exchange or something like that.
That every country has to go through this.
Right. Protection, information exchange or something like that. That every country has to go through this.
Right.
So, you know, part of me says, you know, I didn't know this was happening.
But the other part of me goes, well, you should have had some kind of expectation of this happening.
Yeah. It's almost a necessary thing to do in order to assure that every country can secure their borders, which is what every country wants to do.
Now, do you feel differently about this if it was going on within the United States versus at
the border? So if I'm flying domestically and they're checking my ID using some
sort of biometric scanning thing that raises your hackles? Yeah with
flying not so much. I mean you could always take an alternative means of
travel I guess but you know it still kind of irritates me. The big
thing about this all this security stuff is it generally tends to be security theater, right?
So everything we're doing all this all this Liberty that we're sacrificing is not netting as much hmm
That's my concern you know they penetration test the system
Right their success rate at catching the weapons in these tests was 10%
They caught 10% of the weapons that went on which means 90% of the weapons in these tests was 10%. They caught 10% of the weapons that went on, which means 90% of the weapons passed through
the security checkpoint, which is not a good result.
That's an old result.
I don't know if they've improved the process or anything.
We certainly haven't heard anything about that.
Well, and on the other hand, how often do you hear about a plane being hijacked?
So maybe the security theater has made the bad guys move on to other methods.
Right. And they have moved
on to other methods. And
bad guys are going to do bad things.
It's just the way the universe
works. I would
really, really, really have a problem with this
if this was something
that law enforcement within the United States was
doing. I would think
that then we'd have some kind of unreasonable search and seizure going on.
But to enter the border of a country, you know, it's kind of creepy,
but I'm not sure I can get opposed to it, I can be opposed to it.
All right.
Well, I mean, it's interesting that, you know, these systems are up and running,
and here's an example of it functioning the way it was intended, I suppose.
Yep. All right. Well, as always, Joe Kerrigan, thanks for joining us. My pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
It's not just a challenge, it's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.