CyberWire Daily - Doxing in Germany. How Lojax works. Spyware found in apps downloaded from Google Play. ISIS hijacks dormant Twitter accounts. Update on Moscow spy case. Chromecast hacking endgame.
Episode Date: January 4, 2019In today’s podcast, we hear that German politicians, celebrities, and journalists have been doxed by parties unknown. ESET describes the workings of Lojax malware. Google ejects spyware-infested app...s from the Play Store. ISIS returns online to inspire, via some hijacked dormant Twitter accounts. Updates on the arrest of a dual US-UK citizen on spying charges in Moscow. And some PewDiePie followers sort of say they’re sorry for hacking Chromecasts. Sort of. Justin Harvey from Accenture with his outlook toward 2019. Guest is Ken Modeste from UL (Underwriters Laboratories) on their evolution as a safety certification organization. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2019_01_04.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
German politicians, celebrities, and journalists have been doxxed by parties unknown.
ESET describes the workings of Lojax malware,
Google ejects spyware-infested apps from the Play Store,
ISIS returns online to inspire
via some hijacked dormant Twitter accounts,
updates on the arrest of a dual US-UK citizen
on spying charges in Moscow,
and some PewDiePie followers sort of say
they're sort of sorry for hacking Chromecasts.
Sort of.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 4th, 2019.
A major story, and one that's curiously only just coming to light, is coming out of Germany.
The BBC and other outlets are reporting that a very large doxing campaign has exposed sensitive personal information belonging to hundreds of German political figures.
The campaign, which began quietly before Christmas and took the form of a satirical Advent calendar, with doors
open to reveal various items, released private communications, emails, contacts, phone numbers,
memoranda, and financial information belonging to hundreds of politicians, including Chancellor
Merkel and President Steinmeier.
Most of the targets were politicians, but data belonging to some celebrities and journalists were also compromised and released.
Germany's information security agency, the BSI, is investigating.
The only political party apparently unaffected is the alternative for Germany,
generally described as far-right.
Observers betting on forms suspect Russia's GRU, Fancy Bear, working with the aim
of discrediting politics and civil society in Germany, but that's speculation on a priori
probability. Security firm Proofpoint emailed us to say that they think the operation looks a lot
like a Russian APT they've been tracking. Proofpoint's threat intelligence lead Chris Dawson said,
While actor attribution is notoriously difficult, early indications suggest that the Russian APT
group Turla, also known as Snake, Venomous Bear, Water Bug, and Ouroboros, is behind the German
data breaches reported earlier today. Proofpoint researchers have seen Turla targeting German
interests before,
particularly leveraging a G20 summit on the digital economy that took place in Hamburg in October 2017.
Other activity associated with this group has been well documented
and stretched back to at least 2018.
End quote.
So that's an informed bet on form.
There are no official details on attribution,
and Twitter has taken down the accounts used to spread links to the documents.
German Justice Minister Barley called the incident a serious attack
and added that the people behind this want to damage confidence in our democracy and institutions.
None of the material so far seems particularly discreditable or explosive, but there's a great deal of it, and the range of the doxing suggests that whoever was behind it worked at the caper in a long, focused effort.
Speaking of Fancy Bear, researchers at security firm ESET have released details on Lojax, the UEFI rootkit the GRU has been using to compromise firmware and devices it's
targeted for cyber espionage.
There is, ESET says, good reason to believe that Lojax can be relatively easily thwarted.
Vendors are now able to patch their devices, and enabling secure boot on vulnerable Windows
devices should also prevent Lojax from running.
There's another family of malware circulating in the Play Store. Windows devices should also prevent Lojax from running.
There's another family of malware circulating in the Play Store.
Researchers at Trend Micro have discovered a mobST spy infestation in Google Play,
where the spyware has been found lurking in otherwise innocent-appearing Android apps.
More than 100,000 users may have been infected.
The malware can eavesdrop on SMS conversations and read contact lists, files, and call logs.
It reports the stolen data to its server via Firebase Cloud Messaging.
It can also geolocate the device it's infected.
Trend Micro says the spyware was first noticed in a game called Flappy Burr Dog.
They subsequently found it in several other applications as well.
Google has now removed the infected apps from the Play Store.
ISIS has returned to the online world,
seeking to inspire mass murder, mostly by automobile,
in spaces crowded with unbelief,
that is, public spaces where most of the people in any given crowd are likely to be infidels.
Engadget and TechCrunch report that some of the depraved inspiration
has been delivered through dormant Twitter accounts ISIS hijacked.
Twitter has now suspended those hijacked accounts.
Bail is being sought for Paul Whelan, charged with spying by Russia's FSB.
The FSB says the dual U.S.-British citizen
received a USB drive containing a roster of personnel at a secret Russian institution.
According to various Russian news sources, Whelan received the dongle from a Russian
citizen at his hotel, with FSB agents bursting in moments later to arrest him.
What happened to his alleged Russian confederate isn't known.
Whelan's background is unusual.
He's a senior security manager at BorgWarner,
which is a large company with operations in many countries,
but Russia is not among them.
He has visited Russia before,
and he's said to have been active in the Vukontaktia,
the Russian social network.
He's an ex-marine, a former staff sergeant who twice deployed to Iraq,
but who was also given a bad conduct discharge by a court-martial in 2008
for what military court records characterized as attempted larceny,
three specifications of dereliction of duty,
making a false official statement wrongfully using another's social security number,
and 10 specifications of making and uttering checks without having sufficient funds in his
account. The court-martial would seem to make him an unlikely candidate for recruitment by U.S.
intelligence services. But then it would also seem to make him an unlikely candidate for a
good security job at BorgWarner. Yet, that's the job
he has. It's an odd case. Whelan seems to be, at least, a bit of a russophile, and his interest in
Russian culture, which many people in many places share, may have put him in harm's way as an easy
target of opportunity for Moscow's security organs. The circumstances of the arrest do indeed
sound like something consistent with
provocation. Most observers think Whelan's arrest is a Russian move to bargain for a spy swap with
the U.S. and indeed seems the likeliest explanation on the basis of what's known so far. For now,
he's still being held and his Russian defense attorneys say he seems to be bearing up as well
as can be expected.
Both the U.S. and British consulates are in touch with the Russian government over the case.
And finally, there's a pause in the campaign to get people to follow PewDiePie. The fans responsible, whose hacker names are HackerGiraffe and Juicer,
have represented themselves as white hats, honest vigilantes showing the unskilled
and unaware that their chromecasts are hijackable by, well, hijacking those chromecasts.
Anywho, no doubt after the night of unquiet sleep, possibly made even more unquiet by
overindulgence in Tide Pods, Hacker Giraffe awakened to the realization that he had been transformed into something
that felt, quote, burned and roasted, awaiting my maybe coming end, quote.
Mr. Giraffe has therefore now exited the social media spaces he formerly cumbered, suggesting
to Motherboard that he never meant any harm, and regretting that he spooked people so badly
they began sending him death threats.
We're with him on the death threats, nobody should get those,
but we won't miss the invitations to chicken dinner with Mr. Pie either.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies
like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Justin Harvey.
He's the Global Incident Response Leader at Accenture.
Justin, it's great to have you back.
Happy New Year.
It is time to talk about what you are looking forward to in 2019.
What can you share with us? Well, I'm looking forward to companies and organizations improving their cyber defense posture.
organizations improving their cyber defense posture. Maybe I should be the Grinch here and say there will be attacks, there will be more vicious attacks. But I think that the best advice
I can give to companies is to do the basics and to follow best practices wherever and whenever
possible. There have been a lot of cases out in the past year
where adversaries have preyed upon some of the most basic of practices, like business email
compromise is a good example of sending fake login pages to people and having them log in.
That's not related to malware at all. We know that malware is out there and it will get
worse and worse. And we know there are zero days, but it's all about what you can do today and do
well. Things like having an EDR solution. So endpoint detection and response capability,
not only on your servers, but your workstations, your laptops, so you can do hunting and get
valuable telemetry consumed within your SIM. Another basic is to pressure test your cyber
defense program. Many times people think, well, I've got an incident response plan,
I'm doing penetration and vulnerability testing, I'm done, right? The answer is no. You really need
to pressure test in a live
fire situation to determine if your incident response program and team is up to snuff.
And you can do that through the use of red teams and adversary simulation. So that is essentially
tying together multiple vulnerabilities and having humans perform those attacks to see if you're
ready. Another basic that companies need to have is a diverse and unique threat intelligence
partnership. So not just getting threat intelligence feeds from a bunch of providers,
but pick one that has a strategic threat intelligence capability. And what I mean by strategic is being able to consume
and hear about the latest threats facing their industry or geography. A lot of companies
miss that. They think, well, I'm getting all of the feeds in. I get all the news. When there's
a zero day, I'm done, right? And the answer is there are unique attacks and adversaries that
target certain industries and certain geographies,
and it's very helpful to have that insight. And the last basic that I have to give to companies
for 2019 is an obvious one, multi-factor. You'd be surprised about how many cases over the last
year that my team has run where a company hasn't had multi-factor and they've been hit by things
like business email compromise. So having multi-factor, not just on your administrators,
not just on your users, but even sometimes and many times for your customers as well.
You know, I think 2018, we saw in terms of trends, we saw the rise of crypto mining. Is there anything in particular
for 2019 that you think is going to bubble up for us? Only time will tell, Dave. I think that,
you know, my personal opinion is leading up to the 2020 election, I think for organizations that
have candidate worthy data, I think that there will be more and more politically-backed cyber attacks and leaks.
And what's going to be interesting is to see,
based upon Julian Assange's possible extradition or possible release,
if he starts to get involved again with WikiLeaks,
or if there are more sites that are going to pop up
that are able to dump information like that.
All right. Justin Harvey, thanks for joining us.
My guest today is Ken Modeste. He's director of digital health at UL, Underwriters Laboratories. For UL's
cybersecurity assurance program, Ken leads their efforts establishing and promoting standards that
address security concerns in network-connected products and systems. We've started since 1894
in Chicago, the World's Trade Fair. So that's 120 plus years. Really, that's when you started seeing a lot of
industrialization occurring and the industrial revolution that really started
driving expansion in the globe. And so because of that, electricity was becoming fairly mainstream
and UL as an organization was working towards public safety
and helping manufacturers provide safe products so that consumers can use them.
And over the last hundred plus years, that's what we've been doing.
However, now in the 21st century, the way how I look at it is, you know,
safety has had a long time to build up good practices, to build up good
expectations from consumers, and to build up educational streams where today, if you come out
of college, you know how to build a safe product. Most of the times, you know what you need to do
from an electronics perspective. When you buy something today, you buy a smartphone, you buy a
smart tablet, a TV, you buy a smart
tablet, a TV, it doesn't go to your head that this thing is going to catch on fire or electrocute you.
You automatically take that for granted. And UL has been one of the fundamental organizations that
has had that happen over the last hundred plus years. So I like to call safety the adult in the
room and cybersecurity the baby. Cybersecurity is where safety was last century,
at the beginning of last century.
That's where it is today.
And cybersecurity, when you really consider it
and you look at it now with connectivity,
cybersecurity is sort of a major part
and element to safety.
Today, when you think of safety,
it's not only about firing,
something catching on fire is electrocuting you because you assume that's there.
It's now about, is it secure?
Is my data secure on it?
Is my privacy secure on it?
Can it prevent someone from coming in and maliciously trying to take control and do something nefarious remotely?
And so cybersecurity is a big part of safety for this century, and UL being a public safety company has been approaching this since from the 1990s, late 1990s, to ensure that we continue to deliver the abilities and support the capabilities for safety from a public perspective.
So take us through what's going on here with your efforts.
You have your cybersecurity assurance program.
Can you describe to us what is that and how do you interact with the folks who are in industry?
Cybersecurity Assurance Program, or what we call ULCAP, we started looking at this about six, seven years ago.
As we know, 2007, the advent of smartphones and smart tablets really started a massive explosion of IoT. It was a
trickle for the first year, second year, and now you're seeing some significant trends. And what
that means is, you know, now you're going to see more and more connected products. You think of
your door lock now, you know, door lock used to be just something, you know, physical with a key.
Now I have door locks with batteries in it and
that are connected to the cloud. And so as we started looking at more and more of the products
that are on the marketplace today, and more of them having connectivity and IoT, that whole
concept of safety that I mentioned now involving security and expanding the concept of safety,
we started taking a look and saying, how will you, how do you need to, to move forward, to provide that assurance for the consumers and the consumer
being you and I, or, um, you know, organizations as they buy for stuff that they're putting into
their organization. So we started that process by looking at all the best practices out there.
We got together with folks from the U S government, from academia and some select
folks that we knew. And we spend some time trying to identify what are all the things that are out there, how are they used, and the value they're providing.
And one of the things we really hit on is the majority of security flaws and security incidents happen with software and products.
happen with software and products, whether it's a software product like a mobile app or a cloud system, or whether it's like that smart lock that I mentioned, or a smart camera that's running
software firmware on it. And we said, if we provided requirements around how to assess and
evaluate software and products, we can have it where it covers a lot of different type of IoT markets.
And the reason why we wanted to have it where you can assess it is because there's a lot
of standards out there that tell people how to design something.
There's a lot of standards out there that tell folks how to do a secure design process
in their organization or how to assess an organization.
Think of ISO 27,000 around.
One has been around for quite some time.
And so that's what we built around some standards,
2,900 series of standards.
But we also recognize that the majority of the industry
wasn't mature enough to accept these standards
and be able to comply with them immediately.
So we have something called,
I like to call it the ABCs of cyber.
And this typically happens in the industry.
When you have new specifications coming out, you think of Bluetooth as an example.
You think of Zigbee as an example.
You think of some of the new IoT technologies like MQTT.
You come up with a specification for a protocol or some type of thing.
Most folks need to first get an understanding, some kind of advice
on how to design and build it. Then they usually need some mechanism to benchmark. So advice is how
you help them, you guide them, you do workshops, you do some training, you explain to them what's
out there and what's applicable for them. You benchmark. Basically, you go out there and help them by start doing testing on what they have,
start providing them with guidance on the specification.
And some folks stop there.
You know, you've heard of pen testing.
Some folks stop at pen testing and they need some kind of guideline for repeatable and
reproducible.
And then ultimately, the C in the A, B, and C advice benchmark, the C is certification,
Ultimately, the C in the A, B, and C advice benchmark, the C is certification, where in some industries it helps to have a model where a third party like UL has gone through and evaluated an entire product or family or suite of products and certified that they comply with this standard. So the UL Cybersecurity Assurance Program overall is how we approach cyber when it comes to the safety of the 21st century. And we've built
some models in there around 2900 as our series of standards, other series of standards, but
holistically looking at how to help the manufacturers today design and build in security
into their products. UL is an independent third-party organization.
We've been operating for a long time, like I said, 100 plus years,
and we're a trusted partner for both manufacturers,
for both the asset owners or procurers of that,
and ultimately for the consumer like you and I.
And one of the things that I want to point out is that, you know,
we believe that cybersecurity is a foundation that you have to keep building on.
There is no one magic pill.
There is no one magic process.
And UL isn't saying that everything that we do will completely solve the cybersecurity problem.
What we are saying is we're presenting a possible solution as a foundation to build upon over time.
And ultimately, what we want to do is
exactly what happened in the last century. In the last century, safety wasn't comparable in the 60s
as it was to the 20s and 30s. And industry and consumers overall have to look at driving
cybersecurity trends based on what their expectations are and expecting foundational
changes over time,
but not expecting a quick magic bullet. That's Ken Modeste from UL.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building
the next generation of cybersecurity
teams and technologies. Our amazing
Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben
Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.