CyberWire Daily - Debunking deepfakes. Hacktivism and information warfare. The prospect of “splinternets.” Germany warns of security product risks. Disruption of Ukrainian ISPs. New wrinkles in phishing.
Episode Date: March 17, 2022Not-so-deepfakes debunked. Hacktivism and information warfare in Russia’s war against Ukraine. The prospect of an age of “splinternets.” Germany warns of risks from Kaspersky security products. ...Disruption of Ukrainian ISPs. David Dufour from Webroot on cyberattacks hitting the automotive sector. Carole Theriault ponders parental disclosure of tracking their kids. Three new wrinkles to social engineering. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/52 Selected reading. Russia and Ukraine ‘draw up 15-point peace plan’ (The Telegraph) Deepfake video of Zelenskyy could be 'tip of the iceberg' in info war, experts warn (NPR.org) The Russia-Ukraine War And The Revival Of Hacktivism (Digital Shadows) In a Chilling Threat, Putin Vows to Rid Russia of ‘Traitors’ (Bloomberg) Russia is risking the creation of a “splinternet”—and it could be irreversible (MIT Technology Review) Traffic interception and MitM attacks among security risks of Russian TLS certs (CSO Online) Germany's BSI warns against Kaspersky AV over spying concerns (CSO Online) Major Ukrainian Internet Provider Triolan Suffers Severe Cyber Attacks and Infrastructure Destruction During Russian Invasion (CPO Magazine) The Attack of the Chameleon Phishing Page (Trustwave) The Email Bait … and Phish: Instagram Phishing Attack (Armorblox) Using CAPTCHA Forms to Bypass Filters (Avanan) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Not-so-deepfakes debunked.
Hacktivism and information warfare in Russia's war against Ukraine.
The prospect of an age of splinternets.
Germany warns of risks from Kaspersky security products.
Disruption of Ukrainian ISPs.
David DeFore from Webroot on cyberattacks hitting the automotive sector.
Carol Terrio ponders parental disclosure of
tracking kids, and three new wrinkles to social engineering.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for
Thursday, March 17th, 2022.
We begin, as we have been, with some notes on Russia's war against Ukraine,
since that war has set the conditions
under which most events in cyberspace are playing out. Diplomacy continues, even as Russia intensifies
the brutality of its attacks against civilians. The Telegraph reports that negotiators are
considering a 15-point plan that would, among other things, require Ukraine's neutralization but would
permit it to maintain a smaller army. It's unclear that the plan would be acceptable to either side.
A faked video appeared yesterday that seemed to show President Zelensky asking Ukrainian soldiers
to lay down their arms. According to NPR, the video was crudely prepared, badly lip-synced,
voice and accent wrong, head not quite matching the body, and so on, which would make it seem
more shallow than deepfake. It was swiftly debunked, but was nonetheless widely amplified
on Russian platforms. President Zelensky said in response that the only people he'd invited to lay down
their arms were Russian soldiers. Meta detected and removed the phony video from its platforms.
Meta's Nathaniel Gleicker took to Twitter to explain, quote, earlier today our teams identified
and removed a deepfake video claiming to show President Zelensky issuing a statement he never
did. It appeared on a
reportedly compromised website and then started showing across the internet. We've quickly
reviewed and removed this video for violating our policy against misleading manipulated media
and notified our peers at other platforms. End quote. He directed readers to Facebook's policy
against manipulated media.
Digital Shadows has been following what it characterizes as a significant rise in hacktivism during Russia's war against Ukraine.
Volume of activity has spiked, the company writes, but we're also observing novel approaches to organizing and attempting to circumvent obstacles.
This will likely continue in the coming weeks and, hands-off approach the Ukrainian government has taken to mobilizing hacktivists. It may also be seen in the work of the hacktivists themselves, who've adopted such techniques as texting Russians with news to
counter Kremlin propaganda. Activists have also, according to the Washington Post, turned to such
hoary Cold War throwbacks as shortwave radio to get messaging through Moscow's increasingly
walled-off internet. He's really not a hacktivist, but one celebrity who's seeking to reach the Russian people is Arnold Schwarzenegger,
who posted a direct appeal with Russian subtitles to both Twitter and Telegram.
President Putin's response to any inside Russia who might listen to such appeals,
and especially to those who might spread them, has been direct and couched in brutal, contemptuous terms.
Russia will spit out the traitors and scum who spread Western lies, and Russia will be the stronger for it. Bloomberg
reports Mr. Putin's remarks as follows, quote, any people, and particularly the Russian people,
will always be able to tell the patriots from the scum and traitors and spit them out like a midge That's the heavy stick delivered by a leader whose self-presentation has been characterized by plenty of imperial trappings,
from long, long tables to elaborately liveried guards.
Contrast that with his opponent's self-presentation, which has generally been shabby chic,
including President Zelensky's stubble and T-shirt worn during his address to the U.S. Congress.
In general, observers see Ukraine as the clear winner in the war of influence.
One of the consequences of Russia's disconnection from the Internet,
and that disconnection is both self-imposed and a consequence of external sanctions,
is the creation of a splinternet, a process that MIT Technology Review worries might be difficult to reverse.
Russia's creation of its own TLS certificate authority, as it moves to evade the consequences of sanctions,
also poses broader security risks.
CSO Magazine points out that traffic interception and man-in-the-middle attacks
are likely side effects of the new
authority. The risk is principally to Russian Internet users. Germany's information security
agency, the BSI, explains its warning against using Kaspersky antivirus products. The problem
is that security products require extensive permissions in the systems they protect, and that they also
maintain an enduring persistence in those systems. Russia, the BSI thinks, is fully capable of
deciding to force Kaspersky to hand over data on its customers, perhaps even give Russian
intelligence services access to customers' systems. This risk has grown during Russia's war against Ukraine, and the BSI recommends
replacing Kaspersky products with other vendors' equivalent systems. Kaspersky feels ill-used,
with some arguable justification, since the warning is based on an assessment of possibilities
and not on actual evidence of misconduct. The company responded, quote,
We believe this decision is
not based on a technical assessment of Kaspersky products that we continuously advocated for with
the BSI and across Europe, but instead is being made on political grounds, end quote. That's
probably right, but unfortunately for Kaspersky, in the BSI's eyes, it's irrelevant.
The BSI's concerns are that Russia could pressure Kaspersky in ways the company couldn't control, or probably resist,
and that the risk of such pressure during wartime is simply too great to overlook.
Triolan, a major Ukrainian Internet service provider,
has faced periodic disruption since the Russian invasion began.
CPO Magazine reports that attackers, presumably Russian, had set Triolan internal devices back to factory defaults, which effectively knocked them offline.
Other Ukrainian ISPs have experienced similar service disruptions as recently as last week.
Three reports today outline new techniques in social engineering.
In the first, researchers at Trustwave's Spider Labs describe chameleon fishing pages,
that is, a page that adapts its colors and logos to fit the intended victim's predilections and presuppositions.
The better to induce them to enter the credentials
the scammers are trying to steal. The elements that change include the page's background,
a blurred logo, the title tab, and the capitalized text of the domain from the email address
provider. Phishing pages are typically short-lived and quickly exposed. Chameleon pages offer
criminals the advantage of being able to easily reuse them.
Armor Blocks describes a campaign
that's targeting employees at a large U.S. insurance company.
The scammer sends an email purporting to be from Instagram support
telling the intended victim that they've been reported
for violating copyright laws.
If the victim doesn't respond within 24 hours,
and the response, of course, involves presenting credentials,
quote, your membership will be permanently deleted, end quote.
Social apps often interpenetrate business apps,
especially during periods where remote work is common,
and that makes this particular brand impersonation campaign more menacing.
And finally, Avanon has an account of how criminals are using CAPTCHA to bypass security
filters. The scammers use CAPTCHA forms sent from legitimate domains in their emails. This
often bypasses scanners and permits the phishing email to reach the intended victim's inbox.
Once the victim tries to access the content,
the attacker asks that they enter their credentials to do so,
and all too often, the victim complies.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews,
and reporting,
and helps you get security questionnaires
done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Among the many things that parenthood has taught me
is just how much my own parents were likely looking the other way
when me or my siblings were up to no good,
picking their battles and letting us think we were getting away with a lot more than we actually were.
In today's online digital age, parents have access to a variety of online tools to keep tabs on their
offspring. The CyberWire's Carol Terrio has been considering this reality, and she files this report. A recent survey from Malwarebytes revealed that 70% of parents track their kids online.
And depending on the age of the child, a parent might want to watch their socials,
or know what websites they visit, monitor where they are at any given time.
But get this, more than a third of parents who track their kids admitted that they
do this without consent. And I was rather surprised. It seems that family tracking apps have exploded
in popularity over the past decade or so. No doubt that a typical parent's natural instinct is to
protect their children. And let's not forget that parents are also legally liable
for their kids until they turn 18. So if they get into trouble, I can understand that most parents
want to know immediately. And of course, technology helps with that. But some experts question whether
monitoring online life is actually helpful at protecting the kids. Sonia Livingston, a professor in the Department of
Media and Communications at the London School of Economics and Political Science, told the BBC
that there is in fact, quote, zero evidence that any of these apps keep children safer, unquote.
Livingston also said that there's indeed a real risk that parental monitoring, quote, moves from
being intrusive to abusive. And she argues
that it's crucial to our autonomy and our personal integrity not to have our every private thought
observed. And that's what private means, unquote. So I'm thinking about this as an adult.
If I got employed somewhere, I would very much like the company to explain if and how they track my behavior before I accept the job, rather than me find out they're doing it surreptitiously down the line.
Or if I got into a relationship with someone only to find out that they've put a smart tracker on my car and loaded monitoring apps on my phone without my consent, I would be livid. I mean, finding out that you've been
tracked without your knowledge or consent has got to be a nasty shock, whether you're a kid
or an adult. I'd worry it would erode trust, respect, maybe even increase stress and anxiety.
Well, Britain's privacy watchdog has weighed in on this and says in its data protection guidelines
that companies that provide parental
tracking capabilities to monitor children through their services need to take care. It says if your
service allows parental monitoring or tracking of a child, you should provide age-appropriate
resources to explain the service to the child so that they are aware that the activity is being
monitored by the parent or their location tracked.
You should provide a clear and obvious sign for the child, such as a lit up icon, which lets them
know when monitoring or tracking is active. And they also say that children who are subject to
persistent parental monitoring may have a diminished sense of their own private space,
which may affect the development of their sense of their own identity.
As the parental monitoring market expands,
in some places with little to no regulation,
it is up to you families out there to think about how you want to proceed.
Perhaps an open and honest discussion
about whether monitoring is appropriate at all,
and if it is, what monitoring is appropriate
and how can it
comfortably be used? I mean, this might be a good place to start. This was Carol Terrio for the Cyberwire.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And joining me once again is David DeFore.
He's the Vice President of Engineering and Cybersecurity at OpenText.
David, always great to have you back on the show.
I want to check in with you, touch base on some of the things I know you have your eye on
when it comes to cyber attacks, specifically within the automotive vertical.
What can you share with us today?
Yeah, you know, David, there was a big to-do.
I think you can remember five or six years ago, I had rented a Jeep and I was trying to get you to drive around in it so I could then take over remotely and, you know, drive it into a ditch.
But you wouldn't fall for it.
No, I was one step ahead of you.
You were.
But there was the big to-do about remotely hacking the Jeep.
I think it was 2015, 2016.
They were demonstrating that at Black Hat.
And then it's kind of gone by the wayside.
A lot of times we think about vehicles as industrial components and not a lot of focus is put on those. But, you know,
vehicles have 150, you know, electronic control units. They have they have millions of lines,
hundreds of millions of lines of code in them. They are ripe to be attacked, especially if you're
attacking infrastructure. But one person's opinion here, I don't think it's going to be the I'm going
to play a joke on my friend and drive his car off the road.
I think what we're going to see happen here is more of things where you maybe have ransomware attacks because cars are so plugged in at this point.
And you're going to have to pay somebody a ransom to unlock your car.
I see things like that happening in the not too distant future.
Yeah, I agree with you.
I see things like that happening in the not-too-distant future.
Yeah, I agree with you. I could see folks walking out to head to work and the screen popping up and saying,
if you want to be on time this morning, that'll be $20 or $100 or $1,000.
Who knows?
But along those lines, we've seen things from some automotive manufacturers have been kind of dipping their toe in the water of moving some things to subscription services.
You know, if you want to have those seat heaters, instead of just buying it from the dealer, you know, there'll be a monthly fee.
So it's interesting how that connectivity that the vehicles have, that they're able to activate and deactivate things using software and over-the-air updates.
And to keep going with that example, there's even a commercial that shows a car that it's basically a big smartphone.
To that example of subscriptions and things of that nature, you can get online,
and there are people, there's a very popular electronic car manufacturer,
people are rooting their car and using it to mine crypto.
I mean, if I pay $100,000 for an electric vehicle,
I'm not going to root it and mine crypto on it.
What could go wrong?
But people are doing it.
What could possibly go wrong?
But this is happening.
And I think a lot of times we think of cars as a refrigerator or a washing machine.
I mean, they're fancy, we like show them off, but they are vulnerable.
As you and I always talk about, yes, the first wave of attacks are academics or people that are curious in any type of cyber issue that you see.
But then that next wave are people who come up with ways to monetize
those attacks. And I think we're going to see that start to happen here as these
cars become more connected. This is why I drive a 1946 Jeep CJ with no electronics.
Right. World War II surplus. Yeah, exactly.
No, that makes sense. It also explains why you're single.
So there you go.
All right.
Well, David DeFore, always a pleasure having you on the show.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Liz Ervin, Elliot Peltzman, Trey Hester, Brandon
Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Kirill Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you.