CyberWire Daily - Daily: US, Russia trading hacks in cyberspace? Brazilian cybercrime ramps up.
Episode Date: August 2, 2016In today’s podcast we give a short update on Black Hat before turning to developments in Syria and Iran. Tension between the US and Russia mounts over alleged Russian hacks of US political campaign ...networks and more recently alleged US spyware operations in Russian enterprises. ISIS wishes to disrupt the Olympics, and cybercriminals are seeking to profit from the Rio Games. Adware uses steganography, and INTERPOL takes down a Nigerian online scam. Ben Yelin explains a recent court ruling in Microsoft's favor that deals with offshore data privacy, and Sameer Dixit from Spirent outlines emerging threats patterns. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. stay home with her young son. But her maternal instincts take a wild and surreal turn as she
discovers the best yet fiercest part of herself. Based on the acclaimed novel, Night Bitch is a
thought-provoking and wickedly humorous film from Searchlight Pictures. Stream Night Bitch January
24 only on Disney+.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k
at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A quick look at Black Hat.
Iran appears to be watching Syrian dissidents,
and an Israeli hacktivist breaches an Iranian ISP.
Observers continue to track the apparent Russian hacks of at least three U.S. Democratic Party
groups.
Russia says it's found a sophisticated spyware infestation of its networks, and the news
media draw the inference NSA.
WikiLeaks says more Quentin docs are coming.
A frayed gate switches from Cryptex to Lockheed.
Yahoo credentials may be for sale in the black market.
ISIS hopes to disrupt the Rio games. Criminals hope to profit. I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, August 2, 2016.
Black Hat has completed its training sessions and opens today with the CISO Summit. We'll keep you
apprised tomorrow of anything we learn at the conference. The demonstrations, the arsenal,
the presentations, and the exhibit hall all go into full swing tomorrow and Thursday.
One of the more anticipated demonstrations will be Miller's and Valasek's car hack.
They'll be picking on the Jeep Cherokee again, and this time they intend to show what they can do through a compromised CAN bus.
There will also be the usual round of product announcements, awards, tips, techniques, and observations.
We'll keep you posted.
Elsewhere in the world, the University of Toronto's Citizen Lab and researchers at FireEye
see signs of Iranian cyber espionage targeting anti-Assad Syrian dissidents, some of them based in Turkey.
FireEye calls the activity characteristic of other Iranian operations, it's observed.
Iran itself has sustained an attack.
An Israeli hacker, probably a hacktivist, although it's early to be certain,
is said to have breached the Iranian internet service provider Daba. User credentials are reported to have been leaked.
The ongoing troubles surrounding U.S. election hacks continue. The Democratic National Committee,
the Democratic Congressional Campaign Committee, and the Clinton campaign have all been doxed,
and various security firms continue to regard the culprit as the Russian government.
Fidelis and ThreatConnect, both of which have investigated the DCCC hack,
say they're convinced Fancy Bear, the GRU, was behind it.
The Clinton campaign, addressing their own hack, claims that only a DNC voter analytics program they used was compromised.
The campaign's internal systems and email are, they assure the
public, still secure. The FBI is investigating. Russia may be positioning itself as an injured
party. The FSB has announced that professional spyware has been found on sensitive Russian
networks. They teach an object lesson in attribution by declining to say who they think did it,
but you don't have to be
Philip Marlowe to put two and two together and add them up to USA. The media covering the story
haven't been slow to speculate that U.S. security services, NSA being the one inevitably mentioned
in dispatches, have compromised some significant Russian networks and perhaps have found their way
into the Cozy Bear and Fancy Bear as well.
The bears are, respectively, thought to be FSB and GRU operations.
For its part, the U.S. mulls how, and indeed whether, to respond to Russia's apparent intrusion
into various Democratic Party networks. WikiLeaks' Julian Assange refuses to say where he got the
Democratic Party documents he's dumping, but he does say they've got a lot more to dump.
They'll be releasing it soon, he says, at their discretion.
Some recent court decisions have shaped the data privacy landscape.
Later we'll hear about the implications of one of them,
the ruling in Microsoft's favor that enables Redmond to keep data stored in Irish servers away from U.S. law enforcement.
In cybercrime news, social engineers are turning to
QRL jacking, a newly popular way of compromising accounts,
so disclose QR codes with due circumspection.
The Afraidgate ransomware operators are still using the Neutrino
exploit kit, but appear to be shifting from Cryptex to Locky.
Researchers continue their scrutiny of the AdGolos malvertising campaign, with particular
attention given to the means by which its operators cover their tracks.
Proofpoint notes that much of AdGolos' stealth and obfuscation has been achieved through
steganography, hiding code in images.
Peace, the criminal known for selling MySpace and LinkedIn credentials,
many of them junk but still a problem and a nuisance, is back on the criminal forum,
The Real Deal. This time, he says he's offering 200 million Yahoo credentials. He says they've
been traded privately for some time, but that now they're being offered openly. Peace wants
three Bitcoin, about $1,860. Yahoo is investigating.
The breach remains unconfirmed. We spoke with Spirant's Samir Dixit about what Spirant is
seeing with respect to emerging threat patterns and what you can do to protect yourself.
One of the newest patterns that we have actually seen, which was not not there sort of not fully developed last year was automotive
security, SCADA, ICS stuff and IoT. Places where security so far has been done with obscurity,
places like healthcare systems and networks, SCADA, ICS, automotive like until a year or two
ago like if you go after an automotive vulnerability
disclosure, you would be like, companies would lawyer up and shut you down. But now the industry
has gotten a little bit more acceptance to bug bounty programs and things like that. So you
would see more and more come out of that industry in terms of cybersecurity vulnerabilities and threats. And then the fourth one is IoT being a new area.
We focus mainly on right now, mainly on making it work.
Now that we have kind of reached the state that it has started to work,
now people are thinking about like, oh, we built this, but there are security gaps.
And that's what these are the four trends where I would see,
like healthcare, SCADA, ICS, automotive, and IoT, where there would be more need for security going
forward, and I would see this as a trend. Samir Dixit also has some advice when it
comes to password strength. When it comes to password, there is a big misconception about,
okay, I need to make my password complex, but really, when it comes to passwords, there is a big misconception about, okay, I need to make my password complex.
But really, when it comes to passwords, it's not really the complexities, the size that matters.
So making it longer, you're making it tougher to track than making it more complex with nowadays computing power.
That's Samir Dixit from Spirant.
The criminal infrastructure in Brazil has ramped
up for a wave of theft and fraud surrounding the Olympic Games. Fortinet reports an 83%
surge in malicious URLs detected in Brazil. There's also been a rise in test attacks.
Sponsors, participants, attendees, and others interested in the Games are warned to be on their
guard. Opening ceremonies will be held this Friday evening.
There is unfortunately also another threat to the Olympics.
Observers tracking ISIS say the terrorist group has increased its use of Portuguese
in the inspirational traffic it's currently circulating.
The group desires jihadist attacks on the Games.
Brazilian authorities and those of other nations are increasing their vigilance.
Some good news on cybercrime. Interpol takes down a Nigerian scammer with assistance from
Trend Micro and Fortinet, so there will be at least one fewer gang inviting you to share in
the oil wealth of a recently deceased and quite fictitious prince. A highly cleared FBI tech has
pled guilty to a charge of spying for China.
It's good news that he's out of circulation, but bad news that he was in circulation at all.
Our stringers are getting some advice on security from Black Hat USA,
which notes that it doesn't condone any malicious activity in Vegas or anywhere else.
It's common sense stuff, but it's always worth giving common sense a once-over.
So remember, don't expect privacy on the internet.
Don't open links you get from unknown or untrusted sources.
And don't, please don't, take thumb drives from strangers.
I mean, you wouldn't take candy, right?
Unless maybe they were mints in a bowl of the Acme cybersecurity company's booth, but you know what we mean.
Encrypt your traffic, always good advice, and don't connect
to any unknown network. Disable Bluetooth and NFC, and don't, don't, don't plug into any random
open line jack or cable. Nothing good ever comes of that. Don't leave your devices unattended,
and be sure your patches are up to date before you arrive. And bring cash. You use ATMs near
the conference at your peril, so don't let your card get skimmed.
Oh, and when you leave Las Vegas,
let your passwords stay in Vegas.
Pick new passwords for everything.
Beyond that, enjoy Black Hat.
We're pretty sure our stringers are.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Joining me once again is Ben Yellen. He's a senior law and policy analyst with the University
of Maryland Center for Health and Homeland Security. Ben, a case came through recently about Microsoft winning an appeal.
It was a ruling about data searches.
What can you tell us about this ruling?
So the background of the case is that a federal judge in New York in 2013 issued a warrant
for the emails of a suspect that was involved in or alleged to have been involved in drug trafficking.
or alleged to have been involved in drug trafficking.
And some of the data that the government sought resided on Microsoft computers located in Ireland.
Microsoft fought the order in court, arguing that it shouldn't be forced to comply with a U.S. court order demanding data held in another country.
The Justice Department's counter was that because Microsoft is a U.S.-based company,
the government can get the data even if it is stored elsewhere. So this became a major high-stakes battle between Silicon Valley and the U.S. law enforcement community, especially
piggybacking off some other high-profile cases this year, like the iPhone unlocking case in San Bernardino. So Microsoft won this battle. In a federal appeals court, they ruled that the
government cannot force Microsoft to turn over emails or other personal data stored on computers
overseas. I think this case is going to have major ramifications, and it could also influence both
where companies like Microsoft store their data in order to protect the privacy of communications
and who customers use to protect their most personal information. I also think that a key
civil liberties victory here is that the court viewed these communications as having greater privacy interest because they contain the content of communications than something like business
records or financial records. I think in previous cases, courts have determined that those types of
records, transactional records, would be accessible even if they're stored overseas.
But because there's a greater privacy interest at stake with the content of communications,
But because there's a greater privacy interest at stake with the content of communications,
there needs to be more stringent protection.
So I think it's a major victory for Microsoft.
It's a major victory for Silicon Valley and for privacy advocates.
Is this a situation where companies like Microsoft or companies like Apple,
who've expressed an interest in the privacy of their users, they could simply offshore the storage of personal information and by that matter, protect it?
I think that would be the most sweeping implication of this case.
And I think we'll see what happens once it moves beyond the Second Circuit.
If the Second Circuit is affirmed or the Supreme Court refuses to take the case, then I think
we're going to see sort of a groundbreaking shift in where data is stored.
And I think both companies and individuals who have a great interest in protecting their
private information are going to look to this case as a precedent and start to store some
of their most personal information on overseas servers.
All right, Ben Yellen, thanks for joining us.
Danielle, and thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire. We are proudly produced in Maryland by our talented team
of editors and producers. I'm Dave Bittner. Thanks for listening. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.