CyberWire Daily - Fancy Bear sniffs around Senatorial staffs. US NSC considers Russian election interference. Chinese and Iranian cyberespionage. Malware loaders. Smart home bugs. Stealing WiFi.
Episode Date: July 27, 2018In today's podcast we learn that Fancy Bear is said to be snuffling around at least one US Senatorial office. The US National Security Council meets to consider Russian election interference. Notes o...n Chinese and Iranian cyberespionage. New malware loaders are offered on the black market. Smart home hubs are shown to be hackable. Tenable enjoys a good IPO. A burglar in Silicon Valley didn't say, your money or your life, but rather, dude I'm outta data—can I have your WiFi password? Dr. Charles Clancy from VA Tech on the security aspects of digital vs analog RF spectrum. Guest is Lisa Beegle from Akamai with info from their State of Internet Security report. For link to all of today's stories check out the CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/July/CyberWire_2018_07_27.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Fancy Bear is said to be snuffling around at least one U.S. senatorial office.
The U.S. National Security Council meets to consider Russian election
interference, notes on Chinese and Iranian cyber espionage, new malware loaders are offered on the
black market, smart home hubs are shown to be hackable, Tenable enjoys a good IPO, and a burglar
in Silicon Valley didn't say your money or your life, but rather, dude, I'm out of data. Can I
have your Wi-Fi password?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 27, 2018.
The Daily Beast reports that Fancy Bear is snuffling around Senator Claire McCaskill and some of her staffers.
She's a Democrat of Missouri.
The GRU apparently phished the senator's office with emails purportedly to notify them that their Mike's passwords had expired and directing them to a link
that would enable them to reestablish their access with a new password.
That link, which of course was bogus, led to a nicely convincing page
that looked just like the U.S. Senate's Active Directory Federal Services login page.
Each phishing email contained a distinctive link that displayed the target's email address on the phony password reset page.
This, of course, lent credibility to what might otherwise be a bald and unconvincing narrative.
wise be a bald and unconvincing narrative.
Senator McCaskill's office appears to be one of the targets Microsoft's Tom Burt alluded to at the Aspen Security Forum last week when he told symposiasts that Redmond had found
a fake Microsoft domain being used against various political campaigns.
Senator McCaskill is up for re-election this year.
She said she's not ready yet to talk about Fancy Bear's fishing attempt,
but her office may have something to say next week.
The U.S. National Security Council is meeting today in a session chaired by President Trump
to discuss election vulnerabilities and, in particular,
the prospect of Russian interference in the coming midterm vote.
For all the recent concern expressed in the U.S.
about Russian election and infrastructure finagling and reconnaissance,
Russia is not the only adversary the U.S. faces in cyberspace.
This week's report by the National Counterintelligence and Security Center
takes note of extensive Chinese and Iranian operations as well.
In these last two cases,
the recent activity has tended towards cyber
espionage of an industrial kind. Chinese operators work to gain commercial advantage.
The center's report listed the areas that have drawn the attention of Beijing's intelligence
services, oil, gas, and coalbed methane gas energy extraction technologies, smart grids,
solar and wind power, biopharmaceuticals, especially
new vaccines and drugs, defensive marine systems and radar technologies, hybrid and electric
vehicle systems, pollution control, high-end computing and numerically controlled machines
as used in manufacturing, space infrastructure and exploration technology, synthetic rubber,
rare earth materials, quantum
computing, and next generation broadband wireless.
With Iran, the goals are less economic advantage than they are direct hard kinetic power.
Tehran's hackers are out for technology that could improve its missile and space programs.
The Iranian threat group called out in the center's report is being called Rocket Kitten, it being as customary to give Iranian groups feline names as it is to call Russian ones bears.
Rocket Kitten is not to be confused with Rocket Man, who's either Kim Jong-un or Elton John.
So again, for those of you keeping score at home, if it's a bear, it's Russian. If it's a panda, Chinese.
Cats and kittens are Iranian because, of course, Persian cats.
There's less system about other countries, although there's some disposition to see North Korean cobras and Indian elephants,
which somehow seems a throwback to the representation of delirium tremens in the old classic pre-code animated cartoons
they used to show really early on Saturday mornings,
like Farmer Brown or Betty Boop.
Anyway.
Flashpoint researchers report that malware loaders
continue their evolution and proliferation.
They offer two new loaders, Aurora and Cardin, as examples.
They're both for sale in dark web criminal markets.
Aurora boasts that it's not only undetectable,
but that it also features the ability to create self-healing bots.
Cardin's selling point is simplicity.
It arrives on victim machines with what Flashpoint calls
a fully integrated bot shop.
Cisco's Talos Group has found 20 vulnerabilities
in Samsung's SmartThings hub controllers.
They say flaws could enable attackers to control the smart home from light bulb to thermostat
and to remotely monitor activity through connected devices.
Cisco discloses these discoveries responsibly, so Samsung has had an opportunity to develop fixes.
Users should look for updates.
had an opportunity to develop fixes.
Users should look for updates.
Google's security keys, which the company says protect its 85,000 employees from phishing,
look good, but unsurprisingly, they're not a 24-carat perfect password alternative.
KnowBe4 suggests ways in which the keys might prove hackable.
Again, that's not to say that the keys aren't a good thing, but it is to recognize that cybersecurity deals with conflict,
and that conflict occurs among human beings who see, learn, react, and adapt.
Tenable began offering its shares on the Nasdaq yesterday,
and its debut was a very good one, up 32% at closing.
Investors like its subscription model and have given the company a value of somewhere
around $3 billion. Two other IPOs in the sector that analysts widely expect in the not-too-distant
future are CrowdStrike and Tanium. Those who work in the industry will recognize buzzword bingo,
which may be played during long sessions of PowerPoint in corporate offices. If you hear
the briefer offer a sentence like, we'll leverage Synergy for an out-of-the-box disruptive innovation,
you're entitled to holler, bingo. You can play a similar game with the news,
cliche bingo. Insofar as the news instantiates cliches, and it must be factual news,
not opinion journalism, track it on your card and look for five in a row.
Here's a story that's almost there.
Ars Technica reports an arrest in Palo Alto, California,
that's the very heart of Silicon Valley, of course,
in which a young man, aged 17,
so his name has been primly redacted from the police reports,
broke into a couple's home in the middle of the night.
He appeared in their bedroom and awakened them with a request to use their Wi-Fi, trimly redacted from the police reports, broke into a couple's home in the middle of the night.
He appeared in their bedroom and awakened them with a request to use their Wi-Fi,
because, as he put it, he was out of data.
He was wearing a mask at the time.
That's at least four clichés right there.
If it turns out he wanted the Wi-Fi so he could play Fortnite,
we'd be hollering bingo loud enough so everyone could hear from Baltimore to Berkeley.
Sad.
Today is SysAdmin Appreciation Day, the 19th annual one.
Do something nice for your systems administrators, and remember, the four saddest words in the world when spoken by a manager are, why don't we just make them happier words by following
them with, knock off early and go out for pizza on the company dime.
Have a great weekend, everybody.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies, like Atlassian and Quora,
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with
Black Cloak. Learn more at blackcloak.io. And joining me once again is Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. You know, over the years, we've seen more and more
RF spectrum being carved out, being reprovisioned, I suppose, for digital services, and that makes
sense. But I'm wondering, is it automatic that as we carve away analog, what used to be analog radio spectrum,
does the stuff that replaces it automatically become digital?
And are there cases where it makes sense to sometimes leave things analog?
That's a great point.
If you look at the transition of many different types of wireless signals,
we've seen the transition of FM radio to digital.
We've seen the transition from broadcast UHF and VHF television to digital.
And even the cell phone standards that we use, 1G cell phones were all analog.
But as we've moved to 2G, 3G, 4G, and now 5G, they're increasingly sophisticated and increasingly digital.
So I think there's a variety of perspectives you can take on that.
First, digital is always going to be more efficient.
You can always pack more data into the same spectrum and do it in a more flexible way if it's digital.
But a digital transmission and receiver system
is inherently more complicated, more sophisticated.
If you think back to perhaps the 1970s and 1980s, being able to build a crystal
radio and listen in to FM and AM broadcast, that's really not possible with modern technologies.
But even from a security point of view, I mean, I think about something like before everything
went to mobile devices, you know, we had cordless phones in our homes and the analog ones, your
next door neighbor with a scanner could listen to your
conversations. When they went digital, they couldn't do that anymore. Oh, exactly. So digital
offers the ability to provide encryption and authentication that you really can't do in an
analog context. And in fact, that was one of the big use cases for 2G was that the 1G phones of
the 1980s, particularly on the West Coast, there was so much fraud that the
networks were starting to fall apart because no one was paying for service. So one of the driving
use cases for 2G was, well, if we can actually use encryption to effectively authenticate users
and effectively bill users. Now, are there still some legacy systems out there? I'm thinking,
for example, of things like air traffic control.
They're still on an analog system, aren't they?
Yes, there are many systems that are still analog, from shortwave radio to VHF.
A lot of the amateur radio bands are still all analog.
And then certainly, as you point out, things like air traffic control are still primarily analog.
Analog has a lot of features going for it. Generally, the quality of
the signal is better over longer ranges. However, again, it lacks those security features. So air
traffic control is an interesting example where we want resiliency and we want to have less
sophisticated transmitters and receivers so that we're more guaranteed that the system will be available and functional.
But at the same time, it leaves them open to jamming and spoofing and other sorts of attacks, which potentially could be catastrophic in a scenario like air traffic control.
That's interesting.
All right.
Well, as always, Dr. Charles Clancy, thanks for joining us.
Thank you.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. My guest today is Lisa Beagle.
She's Akamai's Senior Manager of Security Intelligence.
Today we're discussing Akamai's summer edition of their State of the Internet Security Report.
Now, what are you seeing in terms of overall longer-term trends?
Is the velocity increasing?
Are the abilities to fight these things keeping pace?
Where do things stand today?
So I would say that I've seen a couple of things.
One is this year I'm seeing the multi-gig attacks again,
a couple of things. One is this year, I'm seeing the multi gig attacks again, whereas last year, you probably saw anything around 200 megs of sorts was kind of the highlight. But I also
attribute that to the fact that the attackers got smarter. And what I mean by that is from
alerting standpoint, they understand what those thresholds were. So if you hit somebody with 100 gigs in 30
seconds, the chances of there being an actual documented alert minimizes. So when you're
looking at actual attack activity, you're seeing some of those smaller numbers. Whereas now I'm
seeing that trending of, you know, two gigs, 10 gigs, 100 gigs plus types of attacks. I mean,
obviously the 1.35 terabits was significant,
and there were some indicators prior to that of 200 plus gig attacks.
So you are seeing that.
I think the other thing is there's more access.
So when you're looking at the uptick of overall attacks themselves, that increase,
there's a huge mix of, you know, the gamers, the script kiddies, as well as some of the more astute and educated type of attackers.
And discerning the two becomes a little cloudy because you do see in some instances targets that see both.
And in some instances, you see just that specific targeted.
So that memcached attack, that was specifically targeted to a single organization.
And you could identify that.
You didn't see that overlap of attack activity.
So I think that because you have more resource, and one highlight would be the YouTube attack
with the 12-year-old developer.
And, you know, I had a conversation with somebody before, and they said, well, yeah, he's 12.
That being said, the complexity associated with the attack meant that he was capable.
And the fact that you are seeing younger folks that have those types of capability is concerning from a futures perspective.
Yeah, I think it's an interesting perspective. I mean, when you look at,
you know, the ability to amplify attacks, the way that the memcached attacks took place,
be able to, there are multipliers there. And you have to wonder what, you know,
what are the unknowns in the future in terms of capabilities to
that that that level of amplification yeah and that's the thing i mean that was obviously a
rarity that doesn't necessarily mean it's an anomaly there are probably things that a lot of
us aren't aware of i mean this was something that i do believe this was identified several years ago
but it was the change that was made by Linux inadvertently, so to speak,
that really did cause the greater collateral damage from an exposure standpoint, whether
that's because organizations didn't have enough resource and weren't aware of that being exposed,
or just because of the change itself. So it's hard to say, but you have to believe
that once things are out there
from a vulnerability standpoint,
there are ways to then adapt and conform them.
And I think that's kind of the risk that we face today.
There's so much out there that it's hard to say
where the next thing's gonna come from.
I mean, there's always chatter with some of these botnets.
And you see the old toolkits being reused.
You're seeing, you know, even from a takedown perspective, things that were taken down many years ago reemerging in a different way.
So it's kind of an arms race of sorts.
Now, what are your recommendations for folks looking at the trends as you're tracking them?
What are some of the things you recommend in terms of folks protecting themselves?
I think first and foremost, understanding their own environments becomes key.
And I know that's not always easy, but you have changing resource, you have changing network configurations,
you have changes within providers themselves, but really wrapping their heads around what their environment looks like,
first and foremost, and keeping track of that is very, very important, whether that's from
acquisitions or downsizing. So I think that in and of itself exposes a customer in some way.
The other thing is ensuring that once they've kind of identified those components in their environment, making sure that they aren't vulnerable in some way,
and if they are, taking action or assessing what that risk potentially could be
from a business perspective,
and then incorporating all of that into their internal runbook or playbook of sorts
and identifying what is acceptance of risk, what is not, who are our providers,
where do we have some level of exposure, what's our redundancy, and then executing that.
You've got to practice it.
You've got to understand it.
And you have to do that at a minimum every quarter because everything is changing.
We change our environment.
The customer changes their environment. So anything as it relates to reacting, identifying
seconds, minutes can be incredibly impactful from a decision-making standpoint,
from an identification standpoint. So if I had to say anything, those are kind of those key
components in understanding your environment, practicing and executing and understanding
what that risk might be. That's Lisa Beagle from Akamai.
You can find their summer edition of the State of the Internet Security Report on their website.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.