CyberWire Daily - Facebook takes down Iranian-run accounts. Criminal investigations look online. IBM to buy Red Hat. Satori is still with us. British Airways and Magecart.
Episode Date: October 29, 2018Facebook takes down accounts linked to Iran for coordinated inauthenticity. Iranian information operations appear to be learning from the Russian approach: be divisive, be negative, and be opportunist...ic. Investigations of pipe-bombs and the Pittsburgh synagogue shooting look at the suspects' digital record. IBM announces its acquisition of Red Hat. The Satori botnet continues to evolve. British Airways and Magecart. Supply chain seeding, probably not; dragonnades, yes. Emily Wilson from Terbium Labs on data from the most recent Facebook breach showing up on the dark web. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_29.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook takes down accounts linked to Iran for coordinated inauthenticity.
Iranian information operations appear to be learning from the Russian approach.
Be divisive, be negative, and be opportunistic.
Investigations of pipe bombs and the Pittsburgh synagogue shooting look at the suspect's digital record.
IBM announces its acquisition of Red Hat.
The Satori botnet continues to evolve.
News on British Airways and Magecart.
And supply chain seeding? No.
Dragonaut? Yes.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, October 29th, 2018.
On Friday, Facebook took down a number of inauthentic accounts run from Iran, as Twitter had done a week earlier.
Iranian influence operations had hitherto been artlessly direct in following the Islamic Republic's domestic and international line,
but this latest round of trolling was effectively indistinguishable from the familiar St. Petersburg style.
The content pushed was opportunistically divisive, directed against
fishers in both American and British culture. St. Petersburg's Internet Research Agency
apparently referred traffic to bogus pages operated by Iran. This could be a sign of
collusion, but simple alignment of interests and recognition of good work, good from Moscow's
point of view, are at least as likely.
It does appear that Facebook has hit upon a formulation for screening content that it may
be able to apply in a workable fashion. They aren't focusing as much on the content as they
are its source, looking at coordinated inauthenticity as a marker for what they will
try to filter. Some of the content being pushed by the Iranian troll accounts
is indistinguishable from opinions that circulate
among people in the targeted societies
who are intensely politically engaged and interested.
But the identities behind the troll accounts Facebook is screening
can be determined to be fictitious
and their activity on social media to exhibit a degree of coordination
that suggests a state-run information operation.
So bogus identities and astroturf simulating grassroots would appear to be the social network's
red flags.
Facebook is still rumored to be shopping for a security company that might help with both
breaches and content moderation.
Different issues are presented by the digital spore both the alleged Florida pipe bomber and the alleged, we probably must say alleged, although he was taken into custody red-handed and wounded on the scene by police, the alleged killer who murdered 11 in a Pittsburgh synagogue this Saturday.
The pipe bomber appears to have expressed solidarity with his Russian brothers, although how much of that counts even as inspiration is an open question.
The Pittsburgh shooter was much more active in social media,
particularly in those precincts of the platform Gab
that catered to those with neo-Nazi sensibilities.
Gab itself has gone down as it's lost access to services
provided by other sectors of the industry.
PayPal, Medium,
Joyent, and GoDaddy all stopped doing business with Gab over the weekend, effectively driving the social network from the internet. What role private industry will come to play in this sort
of content moderation remains to be seen. IBM announced its intention to acquire Red Hat for $34 billion,
a bet that IBM's future lies in hybrid cloud and subscription-based software.
While tangentially related to security,
the coming acquisition is regarded by most observers as a very big deal indeed.
TechCrunch, for example, says that IBM is betting the farm on this one, and it's a transaction we'll certainly be watching with interest.
That farm is a big one.
Researchers at CenturyLink report that the Satori botnet continues to evolve and remains a threat.
This is noteworthy because the individual regarded as one of its principal alleged authors
has been in custody for some time.
Satori has over the past few months moved away from its original set of IoT targets,
many of which it took from its Mirai precursor and onto Android devices.
That alleged author is one Kenneth Curran Shushman,
also known by his preferred nom de hack of Nexus Zeta.
He was arrested in August and granted pretrial release.
He's now back in custody
for violating the terms of that release. What exactly he did, ZDNet reports, isn't known,
but it was enough to land him back in the SeaTac detention center in the state of Washington.
On Friday, the Librarian of Congress and the U.S. Copyright Office added more exemptions to
Digital Millennium Copyright Act enforcement added more exemptions to Digital Millennium
Copyright Act enforcement.
The exemptions are intended to reduce the risk that legitimate security research would
run afoul of the DMCA.
Fortune magazine reports that Amazon is pulling back on advertising with Bloomberg.
Amazon has cited advertising budget changes, but sources tell Fortune that the cutback
is an expression of displeasure, with Bloomberg's reporting on the alleged supply chain poisoning
attack by Chinese intelligence services. Amazon, like Apple and Supermicro, has demanded a
retraction from Bloomberg. Cult of Mac reports that Apple has disinvited Bloomberg from its
fall event. Apple hasn't commented, but BuzzFeed reports that this, too,
is retaliation for the controversial and increasingly less credible story.
Security firm Securonix has an analysis of the recent British Airways breach.
They note that it's won in a series of attacks by the Magecart gang,
which has been stealing paycard data and personal information since 2015 at least.
They note that Magecart has made heavy use of customized malicious JavaScript
on the victim's website.
They've at different times done this by directly compromising their target's website
or through the compromise of some third-party component used on that website.
In the case of the British Airways breach,
Securonix thinks the attack was accomplished
by directly modifying code on the airline's main website itself.
Cyber risk continues to occupy more corporate board attention.
A report from Deloitte finds that the two greatest threats to companies,
as CEOs and boards reckon them,
are first, disruption of the business by new
technologies or innovations, and second, cyber incidents or events.
The FBI has glumly warned companies not to expect simple attribution to do much to deter
North Korean hacking. Pyongyang really doesn't have much to fear when it comes to reputational
risk alone, which shows how having nothing to lose can sometimes amount to a position of strength.
The Chinese government's policy of stationing loyal citizens, mostly ethnic Han,
in the households of mostly Muslim Uyghurs,
may remind Americans why their Bill of Rights has a Third Amendment to preclude such dragonads.
In fairness to the memory of the tyrant George III,
words which we doubt have been written recently, the quartering acts seldom resulted in redcoats
imposing themselves on the family hearth. They were more a measure intended to get the colonists
to pay what His Majesty's government took to be a reasonable fraction of their defense
against the French and Indians.
And so the colonial treasuries were expected to, for example,
build barracks as needed or pay to lodge soldiers in inns and public houses,
or in extreme cases in barns and outbuildings,
as happens with European armies on field exercises even to this day.
But the patriots wanted no more of that than they wanted expensive tea or tiresome stamps, and they were also aware of how the French crown had used the dragonnades against the
Huguenots. So the last thing you wanted, if you were living peacefully in, let's say, Armonk in
the colony of New York, was a file of British regulars looking for accommodations. The Chinese
policy is a more serious and more intrusive matter,
an aggressive form of surveillance and information operations
conducted on the ground and in person with a domestic population.
This would seem to be a case in which long-standing policy in cyberspace
has now found its expression in physical space.
space. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And joining me once again is Emily Wilson.
She's the Fraud Intelligence Manager at Terbium Labs.
Emily, welcome back.
We have heard a lot about this recent Facebook breach,
and I wanted to touch base with you about what this means from a dark web perspective,
what we might expect.
Might we see these credentials online?
What's your take on it?
I don't expect we'll see this information showing up on the dark web, at least not
packaged as coming from this particular breach. In the same way that after Equifax or so many of
these large breaches, the information doesn't immediately show up on the dark web and it's
very rarely packaged as such. A few notable instances where it is packaged that way, right,
are some of the legacy breaches we saw a few years ago where the LinkedIn database was dumped or,
you know, we saw information from Tumblr. But in most cases, people aren't going to take these
large data sets and sell them off. It really draws way too much attention to the vendor.
Oh, so the data set itself is too hot?
A little bit of that.
And also, sometimes you might have a financial motivation behind why you want to do something.
Maybe you also just want to, you know, do a little casual vandalism and dump all of this data.
But if you got your hands on that many credentials,
you'd think you'd try and use them yourself first if you're going to,
you know, manage to get a hold of them.
Do these credentials tend to filter through over time where eventually they'll end up
on the dark web?
I think certainly there's a good possibility we'll see these accounts end up in some form
or fashion on the dark web.
I also think, and I'm going to sound a little bit more like a broken record here, but it's
not like this will be the first time there's been Facebook accounts on the dark web. There have been Facebook accounts for sale probably for as long as Facebook's been
out there and there have been dark web markets, right? These are a regular type of good that we
see on these markets for sale. And where does the Facebook account sit in the spectrum of
valuable things to sell in a dark web market? If we're talking about value and not price,
which I think is the more interesting conversation,
these are very valuable because your Facebook identity
is almost as good as a regular identity.
One of the issues that we saw exploited with this breach
was the issue with Facebook's single sign-on.
If you have access to someone's Facebook account,
then you have access to all of Facebook account, then you have access
to all of the personal information you could ever need. You have a fully vetted audience of people
ready and willing to accept scams because you're coming at it from a quote-unquote trusted source.
Right, real names kind of thing.
Yeah, and plenty of advertisements for Facebook accounts being used as a method to cash out or Facebook accounts being used as a way to verify other payment accounts.
This is a Facebook account that comes with a verified payment processor account.
So you can skip over some of the other more traditional methods of using identity verification.
So Facebook accounts are very valuable.
Most people have them.
Most people are using the same passwords across multiple sites. And most people share a lot of
information with Facebook because Facebook is very, very good at getting you to open up
and try to create a customized experience. And that's exactly the kind of thing fraudsters want
to use against you. It's going to be interesting to see how this one plays out. How many nails in the coffin can
Facebook get before people start leaving in droves, if that ever happens, if it's possible?
I don't know. I don't know if it's possible because, and I was just talking to someone
about this yesterday, right now, for a lot of people, there aren't any good alternatives,
Right now, for a lot of people, there aren't any good alternatives, and the tradeoffs aren't worth it. If your options are to get off of Facebook and hopefully find some way to clear up all of the data that you've already shared that's already been passed on to third parties,
and how someone would even go about doing that, your average consumer, good luck.
good luck. Even if you do all of that, is it worth missing out on your family and your friends,
especially for certain generations where this is their primary way of staying in touch?
They're just not going to do that. And so Facebook has a fairly captive audience. Yeah. All right. Well, time will tell. Emily Wilson, thanks for joining us.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. And that's the Cyber Wire. For links to all of today's stories, check out our daily
briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Thanks for listening.
We'll see you back here tomorrow. Thank you. a product's platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps
tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.