CyberWire Daily - Former Air Force counterintelligence specialist indicted on charges of spying for Iran. Where’s the stolen Equifax data? Two alleged Apophis Squad clowns indicted.
Episode Date: February 14, 2019In today’s podcast we hear that US prosecutors have unsealed the indictment of a former US Air Force counterintelligence specialist on charges she conspired to commit espionage on behalf of Iran. Th...e US Treasury Department announces further sanctions on Iranian individuals and one organization named in that indictment. Two alleged members of Apophis Squad are indicted. Whatever became of the all the data stolen from Equifax? That information’s apparently not for sale on the dark web. Malek Ben Salem from Accenture Labs on reducing the attack surface of containers. Guest is Kevin McNamee from Nokia with results from their recent threat intelligence report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/February/CyberWire_2019_02_14.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
U.S. prosecutors unseal the indictment of a former U.S. Air Force counterintelligence specialist
on charges she conspired to commit espionage on behalf of Iran.
The U.S. Treasury Department announces further sanctions on Iranian individuals
and one organization named in that indictment.
Two alleged members of Apophis Squad are indicted
and whatever became of all the data stolen from Equifax?
That information's apparently not for sale on the dark web.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 14th, 2019.
Today's news has a great deal to do with espionage. This time, the espionage in question is, according to
the U.S. Departments of Justice and the Treasury, Iranian. The U.S. Department of Justice has
unsealed an indictment against Monica E. Witt, now also known as Fatima Zahra. She's a former U.S.
Air Force technical sergeant who served as a counterintelligence specialist and Farsi linguist between 1997 and 2008.
After leaving the Air Force in 2008, she continued to work as a government contractor,
first briefly for Booz Allen Hamilton and then for around two years for Shenega Federal Systems.
Before she defected to Iran in 2013, the Washington Post reports,
the FBI warned her she was probably the target
of recruitment by Iranian intelligence, and she promised to be careful if she returned to Iran,
and also promised not to give Iran classified material. The indictment charges, of course,
that she did exactly that. Recruitment there was, according to the Justice Department.
A quite public turn in sympathies was marked by her attendance of a New Horizons organization conference in Iran on Hollywoodism,
that is, the depravity of American popular culture.
The indictment alleges that after her defection, Ms. Witt created dossiers, target packages,
for Iranian intelligence services on her former colleagues in counterintelligence,
thereby contributing to the social engineering of U.S. security and intelligence personnel.
The indictment indicates that there were six manners, ways, and means of the conspiracy
by which Ms. Witt is alleged to have committed espionage.
She used her position as a special agent with the Air Force Office of Special Investigations to gain access to classified information. She traveled to Iran, where she
identified herself as a U.S. military veteran. She met with members of Iran's Islamic Revolutionary
Guard Corps and expressed a desire to defect to Iran. She provided her bona fides to the
Revolutionary Guard to demonstrate that she was willing and able to pass them information that would interest them.
She created target packages to enable the Iranian government to target U.S. counterintelligence agents.
Finally, the indictment says, she provided U.S. national defense information to the Iranian government.
Four Iranian nationals were also indicted.
They're referred to collectively as the cyber conspirators because they acted against at least eight U.S. operators,
counterintelligence agents,
using various social engineering techniques to compromise them
and gain access to their organizational networks.
The social engineering techniques include spear phishing,
fraudulent use of stolen identities, and at least one catfish.
These attempts seem to have been at least partially successful.
All eight of the U.S. agents whom the cyber conspirators approached had at one time, the Justice Department said in a public statement, worked or interacted with Monica Witt.
The indictment is worth reading, not the least for the set of
definitions it lays out at the beginning. Target package is worth a note. It means what you would
think. A target package, according to the Air Force Office of Special Investigations, is, quote,
a document or set of documents assembled to enable an intelligence or military unit to find,
fix, track, and neutralize a threat, end quote. A human target package of the kind Ms. Witt is alleged to have prepared on her former colleagues
includes not only the targeted person's official position,
but an analysis of personal vulnerabilities or other opportunities to exploit the individual
and confirmation of the identity and location of the individual.
It also recommends a neutralization plan,
where neutralization might include apprehension, recruitment,
cyber exploitation, or capture-kill operations.
In this case, the cyber conspirators are thought to have carried out
such neutralization plans.
This kind of social engineering is traditional espionage craft
carried out in cyberspace.
Needless to say,
Ms. Witt is not in U.S. custody. She's probably still in Iran. Apparently, she was a volunteer whose eagerness to serve put some Iranian intelligence officers on their guard,
suspecting she herself might be used against them. But ultimately, they apparently decided
that she was the genuine article,
an ideological motivated asset. In her frustration with Iranian slowness,
Ms. Witt apparently considered going to either WikiLeaks or the Russians instead,
but her heart appears to have been in Tehran. In a coordinated action, the U.S. Treasury
Department announced sanctions against the four Iranians and the New Horizons Organization,
a now notorious front group of the Revolutionary Guard.
Researchers at Nokia recently published the latest version of their threat intelligence report.
Kevin McNamee is director of the Nokia Threat Intelligence Lab.
The main thing that we found in this report was the increase in IoT botnets, rogue IoT devices on the Internet.
These devices are being collected, gathered together and formed into botnets that can be used primarily for DDoS attacks.
They are also used for credential stuffing.
They're used for coin mining and also used for identity theft. To put it in perspective, the IoT bots themselves
were responsible for about 78% of the actual network activity we detected in the networks
where we're deployed. And so what does this indicate to you in terms of year-over-year
trends and what we might expect this year? In the upcoming year, I only would expect it to increase. We started to see this activity in 2016-2017 with the outbreak of the
Mirai botnet. And the Mirai source code was actually distributed on the network. It was
given away publicly. And since then, we've seen an evolution
of a number of, a fairly large number of different IoT bots based on this Mirai source code.
And what are you seeing in terms of effectively defending against these sorts of things? Have we
grown in sophistication from that end of things? Sadly, no, not at the moment. But there's
certainly, there's a number of efforts by various by the carriers themselves, by standards organizations to help solve this problem.
The main issue with the IoT devices, of course, is they're on the network and they're unprotected. These tend to be small devices. They don't have antivirus. They're not protected by firewalls.
So if they are visible, and in other words, if they have a public Internet IP address or they're accessible through a home router, it is possible to scan these devices and they'll literally be infected.
If they're vulnerable, they'll be infected in a matter of minutes on the Internet itself.
So the key thing, one thing that protects them is if you can conceal their presence from the Internet itself. If you've got a home network, make sure you've got your home router correctly configured so they're not visible to the Internet.
And if you're on a, you know, on a sort of deployed on a mobile network and a carrier network, then again, the use of carrier grade NAT or something like that, the service provider can provide some protection by making these devices less visible. Now, one of the things the report points out is that
we expect to see 5G networks coming online throughout this year, and that could have an
effect on the adoption of IoT devices there? Yeah, that's correct. I think 5G in general,
from a security perspective, it brings some very good new developments to the security area.
But it also creates a situation that can be potentially bad.
The good stuff that's there is that the whole control plane is now encrypted and strongly authenticated, which is really good.
They've introduced slicing, which provides network segregation, which is also very good. And of course, the main
benefits of 5G are the increased bandwidth and the ability to deploy these IoT devices.
But some of those things also bring a sort of a negative effect. For example, the fact that you've
got more bandwidth and more IoT devices means that these botnets that we've seen, which are
primarily used for DDoS attacks, have going to get more bandwidth they can
leverage in the DDoS attack, and they're going to be more visible when 5G comes along.
So even something like slicing, if you put all your IoT devices in a particular network
5G slice, it means that people, the attackers are going to know which, that's a good slice
to attack because there's potentially vulnerable devices there.
The important thing is to make sure you treat IoT devices, the security, seriously.
First of all, they should be securely configured and securely deployed.
You have to be able to patch these devices and get security patches out to them right away.
The communications and the authentication that you use have to be robust and it has to be secure.
A lot of the Mirai attacks are using default passwords to break into these things.
That's, of course, crazy.
You have to make sure that there's strong authentication, use digital certificates and
stuff like that.
And I think the final thing is that these devices are relatively helpless on their own.
They should be monitored for potential security violations, monitored for potential bad traffic.
And I would say that the carrier, the network carriers,
people are building the networks, they should be able to detect rogue IoT devices and remove them
from their network should that be required, because these DDoS attacks can become quite severe.
That's Kevin McNamee from Nokia. You can find their threat intelligence report on their website.
You can find their threat intelligence report on their website.
Here's another bit of espionage news.
Stolen PII usually turns up for sale in some dark web market, of course.
That's the typical way criminals monetize their take.
But curiously, that apparently hasn't happened with the data lost in 2017's big Equifax breach.
The information's nowhere to be found.
CNBC has been speaking with sources who are convinced that a foreign intelligence service has the data, and indeed that a foreign
intelligence service was responsible for hacking it in the first place. It's of course possible
that a common criminal stole the information and then decided it was too hot defense,
but that's looking increasingly unlikely. PII are of course useful in social engineering, that is in recruiting agents.
Who might have been responsible is unknown.
After all the creepy allegations and suspicions of espionage,
it's almost with relief that we turn to more ordinary, squalid, motiveless cybercrime,
and nobody does squalid and motiveless better than the creeps of Apophis Squad.
We hope soon to be able to say did, putting them in the past tense.
A leading alleged Apophis Squad skid, Mr. Timothy Dalton Vaughn,
whose hacker names include HDG0, WantedByFeds, and Xavier Farbell,
was indicted by the Feds after his identity was compromised via a hacked gaming site.
That an Apophis Squad member should be hoisted on his gaming petard seems almost too good to be true.
But there you have it.
One of his alleged confederates, Mr. George Duke Cohen, was also indicted.
Their alleged activities include swatting, DDoS, doxing, bomb threats, bogus 911 calls, phony reports of airliner hijackings.
In short, the whole sad customary run of skid lulls.
There was a criminal commerce angle to some of their misbehavior.
They are said to have advertised their services online.
If you had a grudge against your high school, for example, for a small consideration,
Mr. Vaughn and Duke Cohen would allegedly
shoot off a bomb threat to shake things up. Should they be found guilty? And hey,
they're entitled to the presumption of innocence. May their names be forgotten.
May they be placed where they will do no further harm. And one hopes where they will be rehabilitated.
Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Malek Ben-Salem.
She's the Senior R&D Manager for Security at Accenture Labs.
Malek, it's great to have you back.
We wanted to touch today on security when it comes to containers and specifically some stuff you wanted to share about reducing the attack surface.
What do you have for us today? and specifically some stuff you wanted to share about reducing the attack surface.
What do you have for us today?
Yeah, so this is research that we've conducted over the last year and that we've recently published at Black Hat Europe.
And the research looked at public container images.
We know that a lot of people use the existing public container images,
which are full of vulnerabilities, unfortunately.
These are container images that are available on Docker Hub, for instance.
They're official Docker images that people reuse because they think they're the standard.
The problem is that, as I mentioned, these have potentially thousands of vulnerabilities.
So if you think about a container, a container, you know, runs or is supposed to run one single
application. Just like Unix tools, containers should be atomic in nature. They perform one task,
but they should perform it very efficiently,
which means that a container should be developed to run just that one application that it needs to
run. And only the required libraries, the required binaries, files, and network protocols that are
required to support that application should be part of the container. Now, this is not the case for the container images that we see out there.
These images are used over and over by developers, and they contain vulnerabilities that get
carried over to many new operational environments.
So in our research, we've developed a tool that profiles the application running on each container.
It identifies the subset of resources that are essential for that application to run correctly and to perform its normal operations.
And the profiling is container-wide.
It's very fine-grained.
So it comes back with that subset of required libraries, binaries, etc.
back with that subset of required libraries, binaries, etc. And it strips out, removes the other libraries that are not required for that application. What this does eventually then
is that it removes all the vulnerabilities associated with those libraries that are not
needed for that application. Therefore, it reduces the attack surface for these
containers. So according to our study, we've been able to remove 50 to 70 percent of vulnerabilities
for these containers, these container images that are out there without impacting the application's
functionality. Now, help me understand, how have the available sort of, I guess, open-sourced containers,
how have they strayed from that original intention for containers, the simplicity that was supposed
to be part of the initial design?
Well, I guess it's just, as we know, people like to reuse stuff.
I guess it's just, as we know, people like to reuse stuff.
Developers are lazy when they can reuse stuff.
They don't bother to create a minimal image.
There are some minimal images.
There's a small base image layer called MIDI depth, for instance, that is supposed to be used that's available on Docker Hub.
It's a minimalist Debian-based image that's built specifically to be used as a available on um on docker hub it's a minimalist debian based image that's built
specifically to be used as a base image for containers you know just we know developers
i don't want to say lazy but just to you know it's human nature the easy way so if there is a
container that's already running the application they're looking for, they don't
build one from scratch with this smaller, with this minimalist base image. They just reuse the
available container that's running the application. But then the risk there is that that container has
a lot of unnecessary stuff along for the ride that could present an unnecessarily large attack surface.
Exactly.
Yeah.
All right.
Well, it's interesting work you're up to there.
As always, Malek Ben Salem, thanks for joining us.
Thanks for having me, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
Thank you. sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.