CyberWire Daily - Espionage and counter-espionage in at least three of the FIve Eyes. New sanctions against North Korea. Password managers and flashlights.
Episode Date: September 16, 2019Spy versus spy, in America, Canada, and Australia, with special guest stars from the Russian and Chinese services. The US Treasury Department issues more sanctions against North Korea’s Reconnaiss...ance General Bureau, better known as the Lazarus Group or Hidden Cobra. Russian election influence goes local (and domestic). Password manager security problems. And why does your flashlight want to know so much about you? Justin Harvey from Accenture with insights on HTTPS and phishing. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Spy vs. Spy in America, Canada, and Australia
with special guest stars from the Russian and Chinese services.
The U.S. Treasury Department issues more sanctions against North Korea's Reconnaissance General Bureau,
better known as the Lazarus Group or Hidden Cobra.
Russian election influence goes local and domestic.
Password manager security problems.
And why does your flashlight want to know so much about you?
know so much about you. From the Cyber Wire studios at DataTribe, I'm Dave Bittner with your Cyber Wire summary for Monday, September 16th, 2019. The news that's broken over the weekend
and into today heavily involves espionage, and so our discussions will have a great deal of spy versus spy.
First, Yahoo reports that Russian intelligence services successfully compromised FBI and
possibly other intelligence community communications from 2010 until 2016.
U.S. counterintelligence authorities became aware of the compromise, which involved, among
other things, the ability to break encrypted
cell phone communications among FBI counterintelligence teams sometime in 2012.
Internal disputes within the Obama administration's national security apparatus, which experts
who witnessed deliberations characterized to Yahoo as reset hangover, delayed a comprehensive
response until December 2016,
after the last U.S. presidential election. That response took the form of the expulsion of more
than 30 Russian diplomats declared persona non grata for their involvement in the espionage
campaign. It also involved U.S. seizure of two comfortable vacation homes, both with nice proximity to the ocean, used by the Russian delegation, one on Long Island, New York, and the other on Maryland's eastern shore.
The FBI began to move to alternative communication systems after suspecting something was up in 2012.
Observers describe that move as expensive.
Observers describe that move as expensive.
One of the questions the Russian operation aroused is the possibility that the espionage campaign wasn't simply a technical achievement, although it seems clearly to have been that, but rather a technical achievement enabled by an internal turncoat, a mole.
There's also a mole hunt underway in Canada.
There is also a mole hunt underway in Canada.
On Friday, a senior member of the Royal Canadian Mounted Police, the RCMP, colloquially the Mounties, Cameron Ordis, has been charged under Canada's Information Security Act, CBC reports.
Mr. Ordis had been serving as Director General of the RCMP's National Intelligence Coordination Centre.
He's alleged to have been in improper contact with Russian entities.
It's not known what information, if any, he may have passed on.
There's some hope that he was stopped before he was able to transfer any sensitive information.
The government has been relatively tight-lipped about the case,
but Crown counsel did tell reporters,
without going into too much detail,
it's alleged he obtained, stored, and processed sensitive information.
The Crown believes with the intent to communicate that information
with people he shouldn't be communicating to.
He's been charged under the Security of Information Act
with unauthorized communication of special operational information
and with preparing for the commission of an offense by obtaining or gaining access to information
or possessing any device, apparatus, or software used for concealing,
surreptitiously communicating, or obtaining information.
He was not charged with sharing information with a foreign government,
which has led some observers to hope that nothing in fact reached the Russians.
He also faces charges under Canada's criminal code, including breach of trust by a public
officer and unauthorized use of a computer.
Why would Russian intelligence be interested in the RCMP?
They're Canada's National Police Service's why, and they have a counterintelligence role that's roughly analogous to that of the US FBI.
The Globe and Mail says that Mr. Ortis was also running the Canadian side of an inquiry
into Russian money laundering, which would also have piqued Russian interest.
The other four I's will be watching developments of the case closely,
since a compromise, should one have occurred,
could affect the services of Australia, New Zealand and the United Kingdom,
and the United States.
The RCMP wasn't saying whether Mr. Ortis still had a job with the Mounties,
but we're betting at the very least that he's been placed on indefinite leave
and probably isn't welcome back into the skiff
until any of these possible misunderstandings are cleared up.
Reuters reports what's long been suspected.
The Australian Signals Directorate concluded in March
that Chinese intelligence services were responsible
for penetrating networks of Parliament and three major parties,
the Liberals, the Nationals and Labour. The, the liberals, the nationals, and labor. The
government did not make the conclusion public, sources tell Reuters, because of concerns that
doing so would disrupt bilateral trade negotiations. So, given that the anonymists have begun chatting
with Reuters, the anonymists at least don't care so much about bilateral trade talks.
On Friday, the U.S. Treasury Department announced sanctions against North Korean hacking organizations,
units of that country's principal intelligence service, the Reconnaissance General Bureau.
Three outfits were specifically singled out, the Lazarus Group, also known as Hidden Cobra,
and two of its subordinate organizations, Bluneroff and Andariel.
Treasury holds the Lazarus Group responsible for WannaCry and the Sony hack.
Bluneroff has specialized in attacks on the Swift financial transfer system
and Andariel in carding and ATM theft.
One might wonder what, at this point, is left to sanction in North Korea,
but there remain many good reasons for calling out the RGB's cat paws
and for naming individual actors, getting them on a range of watch lists.
If all politics is local, online election influence seems to be moving in that direction as well.
Meduza's account of how Russian influence operations have evolved since 2016
shows more attention to the details of advertising, more attention to domestic elections and more listicles.
The attention being paid to domestic elections is noteworthy.
Apparently, embarrassment and irritation over what President Putin took to be unwelcome encouragement of dissident factions in Russian public life, such as it is, drove that 2010 effort to up Russia's espionage game in the United States.
After all of this wrangling among rival intelligence services,
we close with a few reminders that there are other security concerns in cyberspace.
Google's Project Zero tweeted in the wee hours last night that the LastPass password manager could, under certain circumstances,
leak credentials from a previously visited site.
It seems to be an actual possibility,
but one that requires relatively complicated user interaction to accomplish.
It also seems limited to browser extensions in Chrome and Opera.
LastPass's response isn't quite a physician-heal-thyself in the direction of Google,
but anywho, Chrome users, take note.
We'll see how this story develops.
And speaking of Google, there are a lot of very nosy flashlight apps in the Play Store.
How much does a flashlight app really need to know about you, really?
Not as much as it's asking, Avast suggests.
It seems that a lot of those permissions are requested in the service of monetization on
behalf of ad partners. 50 to 70 permissions seems like a lot for a flashlight to need if it's simply
in the business of helping you find your keys at the tail end of a fun night. And why would the
flashlight demand permission to record audio?
At any rate, beware of the flashlight. It's supposed to be revealing your surroundings to you
and not vice versa.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Together, head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings
automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Justin Harvey. He's the Global Incident Response Leader at Accenture.
Justin, it's always great to have you back.
I wanted to touch base with you today about HTTPS and some things that are going on with that when it comes to phishing.
What can you share with us?
Well, it's the magical green safe icon.
We've been conditioned to trust, but it's actually turning out that the trust shouldn't be implicit.
And we know that the green icon means our data is safe in motion. We can all agree on that. If you have your browser
and that green safe is up there or your green bar or the black safe, if you're using Chrome,
that means that your browser has negotiated a TLS protocol with the web server and intruders or attackers or adversaries that
are sitting between you and that website can't see your data. But what we don't take into account
is what happens when it gets to the destination. And what we're seeing is a trend in attackers
that are not only using the approach to take a domain name or a company name and change
the one to an L or changing an O to a zero, but they're also putting in SSL certificates. So that
really gives users a little bit of more trust in that site because we've conditioned them,
hey, if it's a green safe, you're okay. So is it the fact of the matter that SSL certificates aren't that hard to come by these
days? Yes. In fact, we're seeing a trend where SSL certificates are actually making it through
the signing process and probably instances where they shouldn't. Most notably are the domains that are just like real companies,
but they've got a few characters transposed. And given how easy it is for adversaries to get their
own compute power, their own web servers on the cloud, there are even virtual cloud data centers
that you can pay in Bitcoin. It makes it very easy to get a mimic style domain, go register an SSL certificate
and essentially run your own business email compromise portal out of there with your
misnamed sites and your SSL certificates. Now, while they are valid, they're not quite,
I wouldn't really call them fake. They're really just, maybe the right term is faux here, Dave,
but so they're not actually signing them
in a fake sort of way. They're getting them signed so that they can be that green icon.
It's just that the cert providers are not putting a stringent process on that. And when users are
using their browser, either on mobile or PC or Mac or Linux, they go to these sites and then
they automatically trust them because of the green icon.
Well, so, I mean, let's approach solutions to this from two directions. I mean, there's the technical side and there's the human side. Clearly on the technical side, the best approach is to
have a little bit more of a stringent process on signing certificates, but I can only imagine
the enormity of that problem out there, given the speed at which domains are being registered
and certs are being signed. And on the human aspect to this, I would say that this is more of a
medium to small businesses that are targeted with this style of attack. If you are part of the big
businesses, they are usually policing a lot of the domains out there, trying to police a lot of the certificates.
But you see with the medium and small providers, they don't have that sort of vigilance.
So their users are getting duped into this sort of operation.
You've also got to look at how this is being delivered to the victims, usually phishing attacks or SMS style phishing attacks
or even voice attacks.
So calling up and doing a little bit of social engineering.
I think that being able to train your personnel, your customers, your employees about this
risk with an ongoing security awareness training program is a good step forward for it.
And I guess looking at that little lock icon and taking it with a grain of salt.
That's right. If the nature of the reason you're accessing this site is that you got a text or an
email from your bank or forum from a social media site, they're trying to create a compelling event.
They're trying to get you to say, oh, oh my gosh, I need to stop what I'm doing now and log in. The best course of action is no matter where it comes from,
is to go and use your browser and type in the website and go to there and see if that alert
exists or simply call into wherever it is and ask them if this is their valid communication to you.
And go look up that phone number. Don't use the number that they may provide you with, right?
Exactly. Exactly.
All right. Well, Justin Harvey, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, Thanks for listening.
We'll see you back here tomorrow. Thank you.