CyberWire Daily - Cyberwar looms in the Middle East? Hidden Cobra’s fangs described. Evasive Astaroth. Ransomware in Texas courts. COVID-19 espionage. Content moderation.
Episode Date: May 12, 2020Unattributed cyberattacks in an Iranian port prompt speculation that a broader cyberwar in the Middle East may be in the offing. CISA releases malware analysis reports on North Korea’s Hidden Cobra.... Astaroth malware grows more evasive (and it was already pretty good at hiding). Texas courts sustain a ransomware attack. COVID-19 espionage warnings are on the way. Twitter’s misinformation warning system. Ben Yelin describes a Fourth Amendment case on automated license plate reader (ALPR) databases. Our guest is Brian Dye from Corelight on dealing with encrypted traffic without compromising privacy. And taking down Plandemic’s trailer. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/newsletters/daily-briefing/9/92 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Unattributed cyber attacks in an Iranian port prompt speculation that a broader cyber war in the Middle East may be in the offing.
CISA releases malware analysis reports on North Korea's hidden Cobra.
Astaroth malware grows more evasive, and it was already pretty good at hiding.
Texas courts sustain a ransomware attack. COVID-19 espionage warnings are on the way.
Twitter's misinformation warning system. Ben Yellen describes a Fourth Amendment case on
automated license plate reader databases.
Our guest is Brian Dye from Coralite on dealing with encrypted traffic without compromising privacy.
And taking down Plandemic's trailer.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Tuesday, May 12, 2020.
Iranian officials acknowledge that Shahid Rajoy, the port of Bandar Abbas, sustained a minor cyber attack last week.
They characterize it as a failure, ZDNet reports, with only a few computers affected and operations of the port
undisrupted. The authorities offered no specific attribution beyond saying that the attack had a
foreign origin. Whether that foreign actor was a state, a hacktivist group, or a criminal gang
wasn't specified. The Jerusalem Post wonders if the Shahid Rajoy attack and the cyber attack on
Israeli water systems, which the newspaper says caught the Israeli cabinet by surprise,
are harbingers of a wider cyber war in the Middle East.
CyberScoop reports that the U.S. FBI and Department of Homeland Security
this morning released malware analysis reports on tools used by North Korea's Hidden Cobra threat group.
The Cybersecurity and Infrastructure Security Agency
summarizes the three reports in an announcement posted to its site.
Cisco Talos says that the Astaroth malware,
which ZDNet notes has also been tracked by IBM, Cyber Reason, and Microsoft,
has improved its obfuscation and evasion capabilities,
particularly with respect to its use of YouTube
channel descriptions to carry encoded and encrypted command-and-control communications.
So far, Astaroth, spread principally through phishing campaigns,
has been largely confined to Brazil, but that could change quickly.
The Office of Court Administration, which provides IT services for Texas courts, has been hit by ransomware, according to The Hill.
Their websites were taken offline after the attack, but courts are continuing business by other means.
They're distributing documents by Dropbox, for example.
Which strain of ransomware is involved hasn't been disclosed yet, but the courts say they're not paying the gangs, no matter what. The Washington Post followed up yesterday's report in the New York Times and
elsewhere that the U.S. FBI and Department of Homeland Security were preparing a warning about
Chinese espionage directed against COVID-19 vaccine and treatment research, with news that
such warnings will probably be out within a week or so and not
within the few days originally expected. The Post notes that the warning is expected to focus on
non-traditional actors, that is, students and researchers already in place at U.S. research
institutions who are or will be activated to collect information on vaccines and treatments.
China's foreign ministry has preemptively denounced the warning.
Zhao Lijian, the spokesman for the Chinese foreign ministry, said,
quote,
We firmly oppose and fight all kinds of cyber attacks conducted by hackers.
We are leading the world in COVID-19 treatment and vaccine research.
It is immoral to target China with rumors and slanders in the absence of any evidence,
end quote. Given the threat the virus poses, it's unsurprising that intelligence services
have actively collected information about its origins, effects, epidemiology, and treatment.
Russia, Iran, and China are believed to have been particularly active in this regard,
as has Vietnam, which FireEye says began collecting as early as January.
Vietnam's interest has been focused largely on its Chinese neighbor.
There's a bit of natural tension at play between the desire to encrypt data for privacy and security
and the need to see into that data to ensure that bad guys or gals aren't taking advantage
of that very use
of encryption to help hide what they are up to. Brian Dye is chief product officer at Corelight,
and he offers these insights. We're definitely seeing a lot of encryption, which is good,
right? It gives a lot of security benefits, get a lot of privacy benefits. Most organizations that
we see are in the 60 to 70% kind of encrypted traffic.
And we find it's pretty interesting to think not just about the broad brush of how much is
encrypted, but about which flows are actually encrypted. Because you've got a bunch of outbound
content, right, that in particular is going to have a lot of personal traffic that has an
expectation of privacy, a bunch of inbound flows that you can choose to decrypt or not,
and then kind of internal or east-west flows
where you have the choice to engineer invisibility.
So there's the broad stat,
and then there's those three different types of traffic
that folks are really thinking about in many ways differently.
How do you recommend folks approach those individual flows?
Are there best practices here?
Best practices is a function of which geography you're in
and what compliance scheme you operate on.
But I would definitely say there's some design patterns.
Outbound flows where folks have the expectation of privacy,
those are generally not being decrypted
for all sorts of reasons,
especially if you're in the EU in general.
In areas where folks have the desire or the mandate to actually
encrypt inbound, especially stuff aimed at their business systems. We're still seeing some of that.
And then internal, I think, is becoming more and more encrypted, especially as folks think
about zero trust. Do you find that there are any common misperceptions that people have when it
comes to using encryption? I think the most common one is the belief that encryption kind of puts this veil of blindness
into the network. And as we've kind of talked about, that's really not the case, right? And
you know, if you take a simple example like J3 hashes, right? When folks first had encryption,
we said, oh, wait, that's removing all this signal. So then, you know, folks like the Salesforce team came up with approaches like JA3, where you generate new
signal into these encrypted environments. And then the cat and mouse game is continuing, right? So
we've seen some actions of attackers, for example, trying to hide from JA3 signatures by using
pre-shared keys. Well, the trick is if you can actually find when pre-shared keys are being used, so essentially
a SSL instant encryption, right? Encryption communications that are happening without an
SSL handshake. Now you've found the pre-shared keys, so now you've gone through the whole cycle
of you have an insight mechanism, you have an evasion technique, and you have a countermeasure.
So that's kind of the oldest cat and mouse game in security, if you will, and it's absolutely continuing in the encryption world. And I suppose no sign of it just slowing
down. No, we don't see that slowing down. It's kind of the fun yet terrifying kind of evergreen
part of our world. And a lot of what we're trying to think about is how do we help enable and
connect different folks
in the open source community that are doing some pretty thought-leading stuff here, right?
Because we definitely find that, you know, just like in the J3 example, when you've got a couple
of high-end defenders that are all seeing the same problem, just connecting the dots across
them so they can work on it together, that has a lot of value before you talk about anything
technical, right? Just helping us all build bridges so we can work together.
That's the right starting point.
That's Brian Dye from CoreLight.
Twitter has offered more information on its plan to label COVID-19 misinformation as such, Reuters reports.
The labels will say, quote,
Some or all of the content shared in this tweet conflicts with guidance from public health experts regarding COVID-19.
End quote.
A Learn More link will take users to some of that relevant expert guidance.
In cases where Twitter judges the misinformation to be particularly risky,
the social medium will display the warning before the user views the content.
Confirmed misinformation will be labeled, as will certain disputed claims.
It appears the false or disputed material will remain available, albeit flagged and linked to contrary views,
and this is in keeping with the marketplace of ideas approach Twitter appears to have adopted.
Twitter's public policy director Nick Pickles said,
quote, one of the differences in our approach here is that we're not waiting for a third party
to have made a cast-iron decision one way or another.
We're reflecting the debate rather than stating the outcome of a deliberation.
End quote.
This may be both a quicker and more permissive approach
than other content moderation being mulled elsewhere.
That more directive content moderation may be seen in the decisions
by YouTube, Vimeo, and Facebook to remove a trailer for a full-length film, Plandemic,
that pushes an anti-vaccine conspiracy theory about the origins of and response to
the COVID-19 pandemic. The Washington Post reports that these platforms have decided the trailer,
which at 26 minutes running time itself amounts to a short film,
pushes misinformation likely to prove dangerous to those who follow its advice.
YouTube says that its policy is to take down content that includes medically unsubstantiated
diagnostic advice for COVID-19, like the Plandemic trailer.
Facebook's rationale was more specific,
suggesting that wearing a mask can make you sick could lead to imminent harm,
so we're removing the video.
Vimeo said it was keeping our platforms safe from content that spreads harmful
and misleading health information.
The video in question has been removed by our trust and safety team
for violating these very policies.
Plandemic features fringe scientist Dr. Judy Mitkovitz,
who the Washington Post says has been associated with discredited research before.
Among the film's claims is the assertion that the wealthy have deliberately worked to drive up infection rates
in order to increase vaccination rates.
Before it was taken down from Facebook at
the end of last week, the plandemic trailer had, Digital Trends reports, attracted 1.8 million
views, including 17,000 comments and nearly 150,000 shares. And as usual, the hooey gets a
head start on the straight dope. Or so the government hoods would have us believe.
Just kidding.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's
the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and
ISO 27001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's from the University of Maryland Center for Health and Homeland Security.
Ben, always great to have you back.
Interesting case you wanted to bring to our attention.
This has to do with automatic license plate readers, a topic we have touched on here before.
What's the latest?
Very interesting case that came out of the Ninth Circuit over on the West Coast dealing with an automatic license plate reading system.
So there was an individual who was seen committing a crime in a GMC Yukon.
Investigators, law enforcement could not see the individual committing the crime.
They just were able to get the make and model of the vehicle and traced it back through the license plate to a rental car company.
Rental car company told the officers that this Yukon had been rented to an individual named Yang, but that individual had not returned the car on time. So the question in this case is whether
this individual had a reasonable expectation of privacy in this vehicle, given that he had
violated the rental agreement and not returned the vehicle on time. Therefore, he did not have a valid property
interest in that vehicle. The rental company tried to locate the vehicle using its company-owned
GPS system. Mr. Yang had disabled that system. So after that had happened, the investigators put the
license plate into this automated license plate reading system. It was picked up. They ended up arresting Yang and charging him with this crime. So Mr. Yang
tried to suppress the search by saying that even though the rental agreement had expired, and even
though he was supposed to have turned in the rental car prior to when this crime had been committed,
he still retained, he still had a reasonable expectation of privacy in that vehicle. And there has been some case law
saying that just because a lease has expired, that does not automatically eliminate the lessee's
privacy interests in that property. And that's certainly-
Well, help me understand here before we move on. I mean, if I rent a car and in the course of me driving that car, I do something that catches the eye of law enforcement.
Are they typically allowed to go to the rental agency and say who rented this car?
So they would need a warrant to do that because you as a lessee have a expectation of privacy in that vehicle.
I mean, you've been granted a temporary,
it's a license, but it's a temporary property interest in that vehicle. So, you know, for that
period during the rental agreement, law enforcement would have to seek a warrant. Here they did not.
They just went to the rental car company and were like, hey, can you guys help us out? And they,
without obtaining a warrant, put this license plate into this automated
license plate reading system and got ahead. But they did so without getting judicial approval
to conduct the search. So the past case law basically says you eventually lose your Fourth
Amendment rights and rented property after the rental period has ended, eventually is obviously a very vague term. We don't know
if that's a few days, one week, several weeks. But just because that rental agreement has expired
doesn't mean that your property interests have automatically been diminished. What the court
is saying here is Mr. Yang did not have a reasonable expectation of privacy in the vehicle for a number of reasons.
The first reason is there's no evidence that this rental car company had any policy or practice of allowing lessees to keep cars beyond the rental period.
And the rental car company had made a bunch of attempts to repossess the vehicle.
They tried to activate the GPS.
So they were trying to assert their own property interests.
So that's one element to the decision. Mr. Yang also argued that because of the Supreme Court
decision, United States v. Carpenter, a person has a privacy interest in the whole of his or her
movements across locations. I know we've talked about that case a lot on this podcast and our caveat podcast.
The gist of the case is in order to obtain historical location information, the government
has to have a warrant. And that's sort of what Mr. Yang was arguing here. So what the court here is
saying as it relates to that Carpenter question is this search had not revealed
the whole of Mr. Yang's physical movements.
It was not tracking him from location to location.
It just picked up his license plate
on one particular instance.
So Carpenter is not implied in this case.
And because the rental agreement had expired,
he no longer had a reasonable expectation
in that piece of property.
So the conviction for now is upheld,
although you never know, it is possible that this case
could make it up to the Supreme Court and we get more clarity
on when a person loses their reasonable expectation of privacy
as it relates to automatic license plate readers on rented vehicles.
All right, that's an interesting one for sure.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. Thank you. Run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Databe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.