CyberWire Daily - Google takes down YouTube influence operation. Cryptomining in a nuclear plant. Spyware in the Google Play Store.
Episode Date: August 23, 2019Google takes down YouTube accounts spreading disinformation about Hong Kong protests. Cryptomining gear seized at a Ukrainian nuclear plant. CISA outlines its strategic vision. Telcos and law enforcem...ent team up to stop robocalls. Spyware makes it into the Google Play Store twice. And a man gets life in prison for installing hidden cameras. Awais Rashid from University of Bristol on cybersecurity risk decisions. Guest is Cathy Hall from Sila on Privileged Access Management. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Google takes down YouTube accounts spreading disinformation.
Crypto mining gear was seized at a Ukrainian nuclear plant.
CISA outlines its strategic vision.
Spyware makes it into the Google Play Store twice.
And a man gets life in prison for installing hidden cameras.
From the Cyber Wire studios at Data Tribe, I'm Tamika Smith sitting in for Dave Bittner with your Cyber Wire Daily podcast for Friday, August 23rd, 2019.
Google has joined Facebook and Twitter in taking down social media accounts, probably operated by Chinese government sock puppets.
Mountain View blogged yesterday that it closed 210 YouTube accounts it found spreading disinformation about the ongoing protests in Hong Kong.
Google did not explicitly attribute the activity to the Chinese government,
but it did note that the activity was similar to the campaigns flagged by Twitter and Facebook.
The videos were posted in what appeared to be a coordinated manner.
Google also observed behavior it associates with inauthenticity, notably the use of VPNs.
The SBU, Ukraine's security service, has found and confiscated crypto mining gear installed at
a South Ukrainian nuclear power plant. The rig the SBU took included six Radeon GPU video cards,
a motherboard, power supplies and extension cords, a USB and hard drive,
and cooling units. They also raided offices at the National Guard Unit 3044, which is located
at the nuclear facility. That search turned up 16 video cards, a system unit with the inventory
number of the military unit, seven hard drives, two solid state drives, a USB flash drive,
and a router. The Ukrainian online news
service Internet UA said none of these hardware devices should have been on the premises in the
first place. The Ukrainian English-language news service Unium observed that one of the problems
at the power plant was that the computers exploited were connected to the Internet.
Cointelegraph, which covered the raids, noted the similarities to the case
of the nuclear engineers Russian authorities arrested in February of 2018 for pulling
Bitcoin out of the Russian Federal Nuclear Center. The nuclear power and research sector
deploys a lot of computational power, and supercomputers attract cryptojackers.
An unknown number of people are under police investigation.
cryptojackers. An unknown number of people are under police investigation. On Thursday, the Cybersecurity and Infrastructure Security Agency published a document outlining the agency's
strategic vision, and CISA Director Chris Krebs summarized the strategy in a speech at Auburn
University. He said his agency's overarching job is to act as the nation's risk advisor,
helping public and private sector entities form strategies to defend themselves against cyber attacks.
CISA will focus on five specific operational priorities.
Number one is China, which Krebs calls, quote, the most pressing long-term strategic risk to the United States, particularly as it relates to the supply chain.
Second is election security.
Third, soft target security or protecting crowded places.
Number four is federal cybersecurity,
leading the government in adapting to the speed of change.
Finally, the agency will work to reduce the risk to industrial control systems.
Twelve large telcos and the attorneys general of all 50 U.S. states and the District of Columbia
have agreed to give consumers some relief from robocalls.
The Wall Street Journal reports that AT&T, Verizon, T-Mobile, Sprint, and CenturyLink
are among the companies that have committed to working with the AGs to, quote,
provide customers with free call blocking technology, investigate and trace illegal calls,
and confirm the identity of their commercial customers as a part of the cooperation with law enforcement, end quote.
Many robocalls are not illegal per se, but an awful lot of them run afoul of fraud and consumer protection laws.
ESET uncovered a spyware app in the Google Play Store. The app called Radio Balooch, or RB Music, was built on the open-source remote-access Trojan Ameth
and doubled as a fully functioning internet radio app for Baloochi Music.
It can send text messages from an infected phone and steal contacts and files.
It also has a meaningless login page, presumably to steal reused credentials.
The malicious app made it through Google's vetting process twice. It also has a meaningless login page, presumably to steal reused credentials.
The malicious app made it through Google's vetting process twice.
ESET first reported the app to Google on July 2, and it was removed within a day.
Eleven days later, the same app reappeared in the Play Store with the same branding and functionalities.
Google again responded quickly after ESET brought it to their attention,
but the researchers say the company should improve its vetting capabilities.
They note that, quote, as the malicious functionality in our myth is not hidden, protected, or obfuscated, it is trivial to identify the radio balooch app and other derivatives as malicious, end quote. Ryan Alden, a former employee of a security company in Oklahoma,
was convicted of installing what reports call a staggering number of cameras in the houses he worked on.
Many of them were aimed at children's rooms, and the story is staggeringly creepy.
KFOR News reports that the judge, who expressed her regret that the law did not offer mutilation as one of the sentencing options, gave Mr. Alden life in prison, which Mr. Alden admitted might be fair enough.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Professor Awais Rashid. He's a professor of
cybersecurity at University of Bristol. Awais, it's great to have you back. We wanted to talk
today about making decisions when it comes to cybersecurity,
specifically based on risk.
What can you share with us today?
Understanding cybersecurity risks is a complicated matter
because, you know, if we all had a crystal ball, then life would be simpler.
And the fact of the matter is that everything we do on a daily basis,
we make risk decisions.
When you decide to procure that product or service, you make a risk decision. When you decide to even send an attachment with your
email, you make an implicit risk decision. But also when you're deciding at a more senior
level within an organization about the budgets that you allocate to your security, you make
a risk decision. And we have been sort of a large piece of work at understanding as to how different demographics within organizations actually understand the risk.
And to what extent do they actually respond to particular types of risks in particular ways?
How do people's perceptions of risks align with reality? So it's quite interesting that
people often attempt to understand the risks that are sort of much more in the spotlight. So
we have designed a game that is now being used quite widely across the UK and even internationally
to educate people about cybersecurity. And as part of that, we also collect quite a lot of data.
And it's quite interesting to see that people always, of course,
invest in the basics.
So they would go for things like antiviruses and firewalls.
But there is also always this tendency of an over-reliance at times on technology.
There is often this view that if we buy the latest security events
and information management system or the latest intrusion detection system, that will solve buy the latest security events and information management system or the latest
intrusion detection system, that will solve all the problems. And of course, risk is much more
nuanced in that sense, because an organization will have a lot of different security needs and
a lot of different controls would need to be put in place from, you know, security awareness raising
to some of the very basic things, do also intrusion detection systems
and those kind of environments, encryption of your data and things like that.
And we find that it's not always that people consider all those risks up front.
How much do regulatory requirements come into play?
People are able to approach things from a sort of a checkbox point of view that we've
taken care of this, we've met this requirement, so we're good here, right?
That's the word checkbox is really quite interesting there. So it depends how do you
want to implement a regulatory requirement. And if you think about it as checkbox, then you can
do things that will allow you to meet that checkbox. But does that actually improve the
state of security of your organization? It's an entirely different matter. And my favorite example of that would be the cookie rule in the EU, where, you know, we are supposed to all know that now
website wants to place a cookie on our machine as you go and visit the website. And this was sort of
a big deal that was required. But all that has mattered is that now every website gets you to say,
well, I'm going to put a cookie on your machine and you have to click OK.
And that's it. It actually makes no difference. Cookies are still in use, but they are now compliant with that rule. At least we know.
And if you ask a lot of users, they wouldn't even know what a cookie is.
So you get your compliance, but you don't actually change the state of anything in that sense.
So I think regulation has a big role to play.
But the key question is, does regulation lead to an active change in the approach from organizations
and how do they deal with security and the risks that come from the various types of
threats that they face?
Yeah, it's interesting to me because I wonder, you know,
you have folks who are afraid of flying, for example,
but then are perfectly fine getting in a car when, you know,
we know statistically they're more likely to have some sort of an accident in the car
than they are in an airplane.
And are there similar misalignments with perceived risks
with some of the work that you're doing?
Yes, so, I mean, risk perceptions, of course, do vary.
And in many cases, people perceive certain risks to be more or less relevant.
The most interesting thing that we have seen is that very often, actually, security experts don't necessarily do any better than non-experts in that sense.
any better than non-experts in that sense. And in some cases, non-experts can have a much better understanding of the organizational context because of their day-to-day jobs compared to
security experts who may not always be aware of the implicit working practices that may be going
on within an organization. The key message that I've taken away is that actually employees are
a big resource. And if they can help understand what are the practices that go on in organizations and where the risks actually arise,
we can come up with much better ways to protect organizations.
But of course, mining that information in a large organization with a large number of employees is in itself a big challenge.
Professor Awais Rashid, thanks for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And now it's our pleasure to introduce our guest, Kathy Hall from Sela, who's here to discuss
privilege access management. For the longest time, security and especially privilege access
management was in the purview of the infrastructure team.
There was a lot of administrators that needed to elevate their access in order to maintain and operate these underlying systems that kind of are essential to the enterprise.
And the old way of doing this was to grant everybody the default administrator access on these systems. So root for
Unix or local administrator or domain administrator for Windows boxes. And whenever they needed to
run anything with privilege, they would use these accounts. And all of the governance and all of the
security and all of the oversight was run by those same administrative teams. What we've noticed more recently is that these privilege accounts are kind of the crown jewels
for the attackers that are trying to get into these systems because that really gives them
unfettered access within an enterprise or within the network.
So now the security teams as security within an organization has started to mature.
I think I heard you talking about how CISOs are being given that seat at the table now
that all the other C-suites have been granted, and they have a stronger view into these things.
They're realizing that this is their biggest problem, is that while you have attackers
attacking the network and attacking individual users, what they're really trying to do is
get to these privileged accounts and important data or destroy systems or kind of wreak havoc. And the only way they can do that
is to have these administrator accounts, these root accounts, these domain accounts. And so their
main purpose is to get to those. So we want to make sure that we're providing a little more
oversight, a little more governance and view to the security part of the organization to allow
them to determine whether or not that access should be used in that particular instance.
And so what is the modern implementation of that look like?
There are a number of pillars. I think it started with the password vaults. What we see a lot of
times in our personal uses, the last passes, the onewords, our own personal password vaults, we started to
implement those for administrative users. So at least we were ensuring that the passwords that
they were using were incredibly strong, can be rotated at a regular cadence, and that we had
visibility into who was using those passwords. But as this area has matured, more and more
features have come out. There's session monitoring a session isolation where the user doesn't even
see the password they originally you would have to check it out or type it in
now these Pam tools can provide isolated sessions to the user once they've been
authorized to do so and and then the password can then be rotated immediately
and they never see it.
And the next user that needs to use that same administrative account would be using a completely separate password.
And therefore, it's very easy to tell who is doing what within the organization with their privilege access. Is there anything to this notion that there should no longer be an all-powerful admin account that's just sitting there at all times?
In other words, are we in an era where all access should be provisioned as needed on the fly and that it time out, that it be temporary for a certain amount of time?
Does that make any sense?
Yeah, absolutely.
So you're getting into an area where I think these vendors are starting to get to, which is what they call just-in-time provisioning. When the user, when the administrator needs to elevate their access, they're granted
that elevation only for a particular transaction for a limited period of time. These tools can
then go and take those privileges away from that account after it's met its use. These are features
that these tools are starting to put out there. I think there's some limited scope for what they can do
for now, but it's definitely an area that people are thinking through and looking for ways to
enable that type of provisioning. Where do you suppose we're headed? When you look ahead,
what's the future for this? What this does is it gives a lot more insight into
activity and transactions so that we can start to move away from just even a least privilege model,
which is where we give everybody all of the access they need in perpetuity to do their job,
because that's where these systems are. And we move more to the zero trust model and
the just-in-time provisioning that you were talking about, which is for a particular transaction,
for a particular time, given all this other context that we have. So these systems right
now don't have visibility into context like, is there a service ticket open? Or is there a
vulnerability that we can pull in from this other system? But they're looking into that. So every privilege transaction then can be validated and verified before it's even allowed to run.
I think that that is where these vendors are looking to go.
I think that's where we are all trying to help our organizations think, our client organizations think about.
And I really think that that's an important feature of a PAM program.
It takes work to get there. It
takes the ability to pull that context in. It takes a robust privileged access management tool.
It takes a robust privileged access management program run by your organization that has,
of course, buy-in from your stakeholders, but then buy-in from your end users and really kind
of watching that market to see when these vendors start to put out more interesting
capabilities like the just-in-time provisioning or some of these really interesting analytics
tools that they're starting to put out, which allow you to determine if a user's behavior
is out of the norm or out of expectation or out of their peer group and limit that access
at that particular time. That's Kathy Hall from CELA.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time
and keep you informed.
Listen for us
on your Alexa smart speaker too.
The CyberWire podcast
is proudly produced in Maryland
out of the startup studios
of DataTribe,
where they're co-building
the next generation
of cybersecurity teams
and technologies.
Our amazing CyberWire team
is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett
Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave
Bittner.
Thanks for listening.
We'll see you back here tomorrow. practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.