CyberWire Daily - GossipGirl, the supra threat actor. LockerGoga’s destructive functionality. More hacking allegations out of Caracas. Revolutionary Guard now a designated terrorist group. Creepy crime.
Episode Date: April 9, 2019In today’s podcast, we hear about GossipGirl, potentially a “supra threat actor” Chronicle sees linking Stuxnet, Flame, and Duqu. LockerGoga’s destructive functionality may be a feature, not a... bug. Venezuela now says its power grid is being hacked by Chile and Colombia. The US designates Iran’s Revolutionary Guard a terrorist organization. What’s up with New Zealand and hidden, networked cameras? And second thoughts about what counts as a “preliminary forensic investigation.” Joe Carrigan from JHU ISI on minding permissions on mobile devices. Guest is Mike O’Malley from Radware on the true costs of cyber attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_09.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Gossip Girl is the supra-threat actor.
Chronicle sees linking Stuxnet, Flame, and Dooku.
Locker Goga's destructive functionality may be a feature, not a bug.
Venezuela now says its power grid is being hacked by Chile and Colombia.
The U.S. designates Iran's Revolutionary Guard a terrorist organization.
What's up with New Zealand and hidden networked cameras?
And second thoughts about what counts as a preliminary forensic investigation.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 9th, 2019.
Chronicle, Alphabet's security unit, has reported the results of their investigation of various strains of malware that have hit industrial systems, Stuxnet, Dooku, and Flame.
Not only are some variants returning, but Chronicle sees them as connected to Gossip Girl, which it calls a supra-threat actor, a collection of threat actors interacting with one another in complex ways.
actor, a collection of threat actors interacting with one another in complex ways.
This will be worth watching, not only for what may be learned about more than three troublesome strains of malware, but also to see whether Chronicle's metaphysics catches
on.
The researchers want, as they put it, quote, to compensate for an ontological deficiency
in threat intel terminology and to investigate a collaborative umbrella of threat actors.
in threat intel terminology and to investigate a collaborative umbrella of threat actors.
They think that the one-on-one equivalence of a threat actor to an institution or organization has left us incapable of accurately representing multi-institution, multi-country,
or multi-group orchestration in collaborative operational deployment,
platform deployment, or generally complex deconfliction practices.
Thus, the category of supra-threat actor.
The threat researchers at Securonics have taken a close look at Locker-Goga,
the ransomware strain that afflicted Norsk Hydro and others.
The security firm has concluded that Locker-Goga's destructive functionality may well be a feature, not a bug.
The exact infection mechanism isn't known,
but it's probably social engineering,
possibly using maliciously crafted RTF or Microsoft Word files.
According to Securonics, some strains of Locker Goga
change an infected system's administrator passwords
and log the victims off.
That's not unusual behavior for straight-up ransomware,
and it suggests to the researchers that whoever's running LockerGoga may be playing,
at least in some cases, a deeper game.
ZDNet talked to people at FireEye's Mandiant unit about LockerGoga,
and they think that even this more aggressive and destructive functionality
may be consistent with ordinary criminals.
They may not be saboteurs or nation-state intelligence services.
They may be ordinary extortionists trying harder to motivate their victims to pay.
Measuring the true cost of a cybersecurity incident can be tricky business.
There are the obvious measurable things like downtime, unavailability, and missed revenue,
but what other factors should organizations consider when calculating the potential costs?
Mike O'Malley is vice president of strategy at Radware,
and he sees organizations taking a more holistic approach.
Previously, when we were having this discussion, say four or five years ago,
the discussion was about, well, what is the cost of a cyber attack
in terms of downtime or in terms of website outage or in terms of lost e-commerce business
or something like that? But very direct costs, I would say. And then looking at that from an ROI
perspective of what are the costs then for cybersecurity in terms of software
and things like that that I want to put in place to prevent that. And what we've
seen then over the last couple of years is enterprises have gotten much more
knowledgeable, I would say, in an unfortunate way as these
breaches have become more and more common that there are much longer
lasting impacts and much longer lasting costs beyond just the initial cost of 30
minutes of downtime. And those things tend to be shareholder lawsuits, loss of trust, churn, loss of brand value.
If you look at the case of Yahoo, it actually drove down their stock
price and cost them hundreds of millions of dollars in their
transaction when they were being sold. So there's lots of
additional costs beyond just the cost of the
20 or 30 minute outage that can make the value of the breach or the cost of the breach much,
much higher exponentially than it initially is, let's say, in the first, you know, hours or days
after the breach. What do you suppose is driving the inclusion of these costs in the equation now where they weren't there before?
I think the main reason is a good thing, which is these discussions have moved up to the C-level,
right? They move from discussions within the CIO or the CISO group of, okay, with our particular,
you know, budget and investment profile to protect the business, how much, you know,
money emphasis can we put into securing our data
and securing our applications within the IT department?
The discussion has gone from there to now a brand level
or a company level discussion at the C level,
which is if we had a black swan event
and our website went down or IP was stolen
or private records were hacked
what would be the long-term impact to the business in terms of share price
what would it mean to our overall revenues what would it mean to customer
satisfaction and churn to get a much more holistic view of that so that as
part of kind of you know as part of scenario planning at the executive level
the c-suite has a much better
understanding of that because what we're finding is when there are these large breaches like Target
and others, it's the C-level that's held responsible now. It is the CEO and the CFO. It's not just
delegated to the CISO or somebody in the IT department. I think that's the big change.
Now, where do you suppose we are when it comes to being able to accurately measure and predict the risk of these sorts of things? Is it
still early days where we're doing a lot of guessing, or have we been at this long enough
that we can make accurate predictions? I think we're getting much, much better. I think we are
certainly able to make accurate predictions. In fact, you know, one of the
things that's a big emphasis within the industry is using now machine learning
and automation because what we're seeing is the bad guys have leveraged that now
for large-scale complex attacks that, to be frank, are just too difficult for
humans to combat against, right? That I have an automated enemy and I can't have a manual
defense and keep up. And so security has gotten much more sophisticated to the point that many
of these solutions now are becoming automated and intelligent in their own right, where they're
looking at the behavior of all of your applications, looking for anomalies, and basically sorting
through clues, trying to solve the mystery
of are you under attack or not, right? And so they're getting much, much better at that,
which, you know, puts the enterprise on level footing where now they have an automated response
to what is a sophisticated and automated attacker. But there's no question this is going to be an
ongoing struggle because it's clearly an arms race, right?
The bad guys will continue to get more sophisticated and better, and the good guys are going to continue to get more sophisticated and better.
But the important first step is now we're fighting fire with fire and using automation in the defense side, where automation has already been in place on the attack side.
That's Mike O'Malley from Radware.
Venezuela's Chavista regime continues to use its failing grid as a handy stick with which to beat
the neighbors. According to Columbia reports, this time, Mr. Maduro says, the cyber attacks
against Venezuelan power generation and distribution are coming from Chile and Colombia.
in power generation and distribution are coming from Chile and Colombia.
Both are, in Mr. Maduro's view, Yankee cat's paws.
The allegation of cyber attack is no more plausible in its current version than it was when Caracas first came out with it.
Venezuela's grid failures are quite easily explicable in terms of corruption,
neglect, and decaying infrastructure.
Haaretz reports that a hacktivist, Dark Coder,
claims to have breached Israel's voter database as part of Op Israel.
Whether Dark Coder has actually done so or simply regifted old breaches is unclear.
Investigation is underway.
So far, not much else has surfaced with respect to Op Israel.
far not much else has surfaced with respect to Op Israel.
The U.S. has designated Iran's Revolutionary Guard a terrorist organization.
In a speech marking the country's National Nuclear Technology Day, Iran's President Rouhani responded that the U.S. is the real terrorist group because it's allied with ISIS.
This is a long-standing Iranian claim that generally has found few takers.
Tehran has indeed not liked the mostly Sunni killers of ISIS, but the caliphate really hasn't
been popular in any Western capitals either. The practical effect of the declaration will be to
further criminalize business and other dealings with Iran. There are at least a couple of saucy
hidden network cameras in the news this week, both with a New Zealand connection.
We mean conceptual connection, you understand, not necessarily a network connection.
For your consideration, a former Kiwi naval attaché in Washington is believed to have installed a hidden camera in an embassy's toilet.
Alas, he did so with a degree of ineptitude it's difficult to credit,
especially in a Navy officer.
The camera he allegedly installed only took pictures of people's feet
as they sat on the seat of ease,
and then it just kind of broke and fell out of the ceiling,
thereby blowing the gaff, or so people say.
Sad.
But who sweeps these embassies anyway?
Don't get cocky, any of you five eyes.
Add to this the experience of a New Zealand family vacationing in Ireland,
as any responsible father would do when taking a holiday in the Emerald Isle, Pater,
whose day job as Infoc consultant. He did a quick
sweep of their Airbnb. According to Naked Security's account of the incident, the tenant's sweep found
a camera hidden in a smoke detector. He called Airbnb, which initially told him that he could
cancel his stay, but he wouldn't be receiving a refund. He also called the owner of the house,
who hung up on him. Airbnb has since apologized because
of course undisclosed surveillance cameras are a violation of their policy and any cameras disclosed
or not in a bedroom or a bathroom are probably also a violation of the law. So really security
and voyeurism aren't the same thing. Maybe an artificial intelligence can't tell the difference, but it seems to us a regular human intelligence ought to know better.
And speaking of artificial intelligence, the Army Research Lab has been working on an AI that,
as Defense One's headline puts it, would be able to read soldiers' minds. Our military desk thinks
the U.S. Army has set a pretty low bar for itself. Surely there's someone at ARL who knows that any half-aware staff sergeant can read soldiers' minds as easily as falling off a log.
Or maybe ARL is working on a biomimetic program,
like that mechanical dog knows the chemical sensor guys have searched for for lo these many years.
Never got out of 6-3, if you're wondering, or so the Pentagon Budget and S&T
Transition Desk tells us. Anywho, now this. If the Daily Beast has it right, and smart money says
they are, that preliminary forensic investigation the U.S. Secret Service performed on Mar-a-Lago
gatecrasher Yu-Shing Zhang's USB thumb drive consisted of an agent plugging it into one of his agency's computers,
where some sort of unwanted program began to run.
Woo, and the agent shut that machine down pronto, so no harm done, right?
Or maybe not much harm done, or maybe harm done. Who knows?
Doing that with a USB drive is like eating that half-melted ice cream you found on the sidewalk.
There's no five-second rule with malware.
And so, Watson, the game is afoot.
Miss Zhang had four cell phones, a laptop computer, an external hard drive,
and a USB drive in her possession when she was detained at Mar-a-Lago.
In her hotel room were found five SIM cards, nine USB drives, a fifth cell phone, that's five, count them, five,
and a signal detector of the kind you might use if you were, for example, a New Zealander on a holiday at an Airbnb.
And what, Watson, would be the dog that didn't bark?
Ms. Zhang wasn't carrying a swimsuit, so one deduces she wasn't there for
the pool party. Professor Moriarty was unavailable for comment. Elementary.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation
isn't a buzzword. It's a way of life. You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first
future together. Head to salesforce.com slash careers to learn more.
Visit salesforce.com slash careers to learn more. on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute.
He's also my co-host on the Hacking Humans podcast.
Joe, it's great to have you back.
It's good to be back, Dave.
You have got a story this week about some studies that some folks did about permissions on various mobile operating systems.
What's going on here?
Right. This is on iOS app permissions.
This is from Wandero.
Okay. And they have looked at 30,000 apps and found that a lot of them request permissions that you may not be aware they're requesting.
The point of the study is we often download these apps and we go through the permission process with just a click.
It's like a pencil whipping. You're just going to go ahead and say, yep, I agree to these things.
Yeah, clicking on the EULA.
Right.
And this is a perennial issue that we like to talk about.
But this one, this study is pretty good in its breakdown.
Okay.
62% of these apps requested access to your photo library.
54% requested access to your camera.
Out of 30,000 apps. Out of 30,000 apps.
Out of 30,000 apps, right.
Okay.
And these are a mixture of paid and unpaid or free apps, right?
Okay, yeah.
And 51% asked for your location when it's in use.
Yeah.
So one of the things they talk about in the study is how often do you take a picture of a whiteboard when you're at work?
Right, just to save an idea so it doesn't get, before someone else comes along and erases it.
Exactly.
You take a picture.
Or you have an office policy that you have to erase the whiteboard before it's gone.
Well, that's intellectual property.
And if I have an app that's not on the up and up, I may not be violating any of the
app store's rules.
I just may be collecting information about what people write on whiteboards.
Well, you may be violating the rules of your company if that app has access to your photos, right?
Yeah, you may be deliberately exfiltrating data from your company.
That use case is a serious possibility.
We've seen plenty of examples of that where someone will take an innocent photograph of somebody standing in front of some terminal
or something and written on a sticky note on the monitor, it says it has the IP address,
username, and password.
Right.
Yeah.
We've seen that.
The interesting part about the iOS permissions is that in iOS, if something doesn't access
your personal information, it doesn't need the permission.
So if an iOS app needs internet permission, it just gets it.
When you would do an installation, it assumes internet permission is implied.
It doesn't ask for that specifically.
The iOS doesn't even recognize it as a permission.
If an app wants it, an app gets it.
Right, okay.
So the article goes on to make a couple of recommendations.
Regularly check your app permissions and settings.
Now, you and I just did this before we recorded this.
Right.
And it's actually really simple.
I'm an Android user.
I have a Google Pixel 3 with, I think, Pi,
whatever their cutesy little name for their operating system is.
Yeah.
And in settings, you go to apps, and then now at the bottom,
there's advanced, and you click on permissions.
And it really breaks it down very simply for you.
Yeah.
By the permission and you can click on the permission and then you can see the list of apps that you have installed and which apps are using that permission right now.
Right.
And we did this beforehand and I went through the microphone permission and revoked the right of Instagram and Facebook Messenger to have access to my microphone.
Mm-hmm. Mm-hmm. Because I don't want them listening to me and then serving me have access to my microphone.
Because I don't want them listening to me and then serving me ads, Dave.
Stop, stop.
Just stop.
You're fired.
Go away.
Ladies and gentlemen, it's sad.
This will be the last appearance of Joe Kerrigan on the Cyber Wire podcast.
There's plenty of studies that say that's not the case.
Yeah, and on iOS, it's similarly quite easy. You go to the privacy
settings, but it's good to
you know, hey, set yourself a reminder or something
once a month on your calendar.
Go through, just review, go check your privacy
settings. Make sure nobody's
doing stuff you don't want them to do. You have to be
vigilant. Yep. Yes, you do.
Yeah. Well, Joe Kerrigan, as always, thanks
for joining us. It's my pleasure, Dan.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly
evolving field, sign up for CyberWire
Pro. It'll save you time
and keep you informed. Listen for us
on your Alexa smart speaker, too.
The CyberWire podcast is proudly
produced in Maryland out of the startup studios
of DataTribe, where they're co-building
the next generation of cybersecurity teams
and technologies. Our amazing
CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.