CyberWire Daily - GPS jamming. Bank phishing. Exposed server. Censorship, East, West, and South. Is there a sealed indictment of Julian Assange?
Episode Date: November 16, 2018In today’s podcast, we ask a question: when does a military exercise become hybrid warfare? Answer: when it affects civilian safety. Like with GPS jamming. Russian banks are sustaining a major, and ...well-crafted, phishing campaign. An unprotected server exposes SMS messages. China tightens laws enabling censorship and social control. It also helps Venezuela to do likewise. And did the US indict Julian Assange, or is it just a cut-and-paste error? Craig Williams from Cisco Talos with info on the sextortion scams they’ve been tracking. Guest is Christopher Porter from FireEye on threats in the aviation sector. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_11_16.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Question.
When does military exercise become hybrid warfare?
Answer.
When it affects civilian safety, like with GPS jamming.
Russian banks are sustaining a major and well-crafted phishing campaign. An unprotected
server exposes SMS messages. China tightens laws enabling censorship and social control.
It also helps Venezuela to do likewise. FireEye's Christopher Porter joins us to discuss security in the
aviation sector. And did the U.S. indict Julian Assange, or is it just a cut-and-paste error?
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 16, 2018.
Russian GPS jamming, denied by Russia but asserted by Norway and its NATO allies during a NATO military exercise, continues to raise questions about flight safety.
More has emerged about the GPS denial last week.
The Atlantic Council has a good account.
denial last week, the Atlantic Council has a good account.
Norway's Ministry of Defense said the jamming began on October 16th and lasted through the end of Exercise Trident Juncture on November 7th.
The ministry says the source of the jamming was localized to Russia's Kola Peninsula,
which abuts northeastern Finland and Norway.
Russia's foreign ministry has denied there was any GPS jamming
and says this is just another instance of Russia being blamed for wildly implausible misconduct,
but essentially nobody in Western military or governmental circles buys this.
Probably no one in Moscow, and certainly not in Murmansk, up there on the Kola Peninsula, buys it either.
NATO Secretary General Stoltenberg confirmed the GPS disruption earlier this week,
saying it was something NATO took very seriously.
Russia has long paid close attention to electronic warfare,
and it has repeatedly demonstrated effective capabilities both in combat,
notably in Syria but also in Ukraine, and in major exercises.
Its evident willingness to use a NATO exercise as its own exercise in electronic or cyber warfare is instructive.
GPS denial is different from interference with a tactical FM network.
It has indiscriminate consequences for civilian life.
As some NATO observers put it, since GPS denial affects the safety of flight, navigation,
emergency services, and other civilian activities, this sort of jamming begins to shade off from
testing and training and into hybrid warfare.
Finnish authorities continue their investigation.
We note in passing that while simple jamming is bad enough,
me-conning GPS signals to send false geolocation data would be even worse, and that's a line better
left uncrossed. So okay, you might be saying, the Russians seem to get a lot of stick around here,
and so they do for good reason. But it's therefore all the more important to remind
ourselves from time to time
that Russian individuals and institutions are also the victims of cyber attack,
and especially of cyber crime.
One such case has surfaced at week's end.
Bleeping Computer reports that Russian banks are under a major phishing attack by Silence,
a criminal group thought to have roots in legitimate infosec work, where they
gained familiarity with financial systems.
The phishing emails represent themselves as originating with the Central Bank of Russia.
They arrive, as phishing emails usually do, with a malicious attachment.
In this case, the body of the message tells the recipient that the attachment contains
details on a new standard format for Central Bank of Russia electronic communications.
Group IB, a Russian firm that operates internationally and has done some respectable work,
says that the emails are well-crafted and convincingly present themselves as genuine communication from the Central Bank.
A rival gang, Money Taker, is also currently active in phishing Russian banks.
Group IB regards Silence and Money Taker
as particularly dangerous
because of their familiarity
with Russian banking communications
and security measures.
The more familiar one is with the target,
the better the social engineering
one can bring to bear.
TechCrunch reports that a researcher in Germany found a server
belonging to San Diego-based communications firm Vovox
that exposed millions of SMS messages.
The server was unprotected, no passwords,
and once it turned up in a Shodan search, it was easy to inspect the contents.
Vovox took the server offline when TechCrunch told them they had a problem.
Chinese authorities are pushing for vendors, both foreign and domestic,
to bring their offerings into line with state-mandated censorship requirements,
the Wall Street Journal reports.
Among other things, China will want a great deal of user data from online companies.
The country's cyberspace administration is concerned to regulate activity on platforms
where people can express opinions and platforms that have the ability to mobilize society.
Effective November 30th, companies that provide online services must maintain extensive records
on their users, including real names, times users log in and log off,
network source addresses,
and hardware used.
Companies are expected to report suspicious events
within 30 working days.
A surge in users would count,
as would spreading illegal or harmful information.
China's not alone in such ambitions.
Indeed, some of its pupils may have surpassed the master.
The formerly prosperous but now failed state of Venezuela has taken a page from Beijing's book on content control
and has enlisted ZTE to show it the way, according to a long Reuters report.
Venezuela's studies began under the late President Chavez,
who in 2008 sent a delegation to study Chinese methods of establishing a national identity system.
The result of that study was Venezuela's Fatherland Card,
which is now the leading edge of a system of social control that identifies, tracks, and, as necessary, represses citizens.
ZTE is said to be embedded within many segments of Venezuela's system.
In the West, social networks are working on content moderation at the behest of both governments,
especially in Europe, and interest groups. Facebook is working hard to come up with an
approach to speech governments wish to see curtailed. The social network casts its efforts
as an enforcement of
community standards, which represent an expansion of effective moves against inauthentic accounts,
bots, frauds, and trolls, into more ambitious moderation of content itself.
And finally, remember Julian Assange? The U.S. Justice Department does. According to multiple
sources, including the
Washington Post and Ars Technica, it seems that justice inadvertently revealed through a cut and
paste error that it's indicted the WikiLeaks founder. The indictment, if any, appears to be
under seal, but Mr. Assange's name and what appear to be passages that describe him turned up,
out of place, in a completely unrelated indictment.
What, if anything, Mr. Assange is being charged with remains unclear.
If the most famous resident of Ecuador's London embassy ever emerges, however,
a lot of people will want to have a word with him.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Craig Williams. Hes he's the director of talos outreach at cisco
craig it's great to have you back um you know we've been seeing more and more coverage of these
uh sextortion scams and i know this is an area that you guys have uh have looked at what's your
take on this well in our most recent look at, it basically turned out that these are not only frequent and complex, but that people are reliably paying, which I think is what surprised us the most.
You know, we were tracking, I think it was 58,000 wallets.
You know, 80 of them had paid.
And I do want to be clear, they're not one to one.
If you go look at the post, we actually do have some charts about wallet reuse.
But at a really high level, that's a couple of percentage points of people paying,
which I think for these type of scams is surprisingly high.
Now, are you tracking any evolution in the tactics here?
Yeah. So when we initially started looking at this,
I think the most common scam was I hacked your computer and watched you on your webcam. And that seems to be one that's been going around for a while and they're adding
some complexity to it now. They're providing things like passwords from data breaches to
prove that they hacked your computer. And so that's all little tactics designed to basically
manipulate the user into paying. I mean, when you look at this at a high level,
they're trying to get an emotional response, right?
That emotional shame response.
So the user doesn't really think it through, right?
They don't really think, is this really viable?
Did I use this password everywhere for the last 10 years?
And instead, they want them to panic and just pay
and not really think about it.
Yeah, it's interesting, too.
I mean, I think it plays on that sort of unspoken side of the Internet, where certainly they're pressing a button where obviously, you know, lots of people out there are consuming content that they wouldn't want to be out there publicly known about. And so that really opens up this vulnerability.
is pretty telling. I mean, you know, some of these amounts are actually really high. I mean, there are some that were a thousand dollars or more. You know, I think when it comes to these
type of scams, they're really trying to find those people who don't think, you know, and I guess you
could argue that that's true for a lot of email based, you know, attacks. Right. But I, you know,
I think the combination of this one combining with the passwords that have been leaked,
it's pretty creative. I mean, this is from a spam standpoint, this is a fairly sophisticated attack.
Yeah, it's interesting too, because one of the things that we talk about is that
when you question yourself with these sort of things, it's great to ask a friend.
The very process of saying something out loud can lead to you realizing that there's a scam here.
But when you're dealing with this kind of content, well, who are you going to tell? Right? Yeah, it's true. It's true. You know,
I've had people reach out. I think most of us have privately and say, hey, this is fake, right?
And it's right. It's one of those scenarios where you're just kind of like, man, I never want to
look at the gallery in your phone, do I? Right, right. So, I mean, is this a matter
of getting the word out to people that this is fake rather than a purely technical solution?
I think so. I mean, you know, these type of scams are never going to go away, right? It's just
limited to the attacker's creativity. Here we've seen them combine, you know, some real world
factual data with basically a shaming fantasy to trick the user into paying.
There's not really a good technical way to solve this because the reality is it's just an email, right?
And so I think this is just a user education problem.
Yeah. All right. Well, Craig Williams, thanks for joining us.
Thank you. solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
My guest today is Christopher Porter.
He's Chief Intelligence Strategist at FireEye and Senior Fellow at the Atlantic Council.
He recently testified before Congress on the cybersecurity threats to the aviation sector.
He joins us to share his views on why that particular vertical makes an attractive target. I think the key thing to know about the aviation sector is that it's probably the most targeted sector of at least
the U.S. economy that we see at FireEye. So to give you some perspective, we track 38 advanced
persistent threat groups, APT groups. 27 of those we know somewhat regularly target
aviation. So nearly three quarters target aviation if you include manufacturers, airports, airlines.
And that's not even counting, obviously, criminal targeting, which is pervasive. So
it's a sector of the economy that's routinely targeted. And obviously, in certain parts of the
sector, you've got people's lives on the line.
Commercial air travel, for example. So there's always a lot of concern about the potential for cyber espionage to turn into a cyber attack, not just on availability of systems, but on people as well.
Yeah, let's dig into that some, because I think obviously, you know, we could we could jump to the worst case scenario of airplanes falling out of the sky, which obviously we haven't seen.
But when you say that aviation is a target, what sorts of things are they going after?
Overwhelmingly, it's targeting either the business data, so that for airlines, for example, that could be traveler records.
You know, criminals would target that as well as nation state espionage groups would have an interest in getting traveler records.
It could be trying to get a foothold for direct criminal purposes.
So can I steal credit card numbers?
Can I ransomware a system that maybe doesn't put people's lives at risk but is necessary for airline operation?
for airline operation. And of course, we do have some examples of airports being targeted for political purposes, mostly in Asia and Europe, you know, messing with the display screens at
baggage or in the terminals displaying political messages. In the U.S., I think you, and to some
degree in Europe and Japan as well, you have a lot of targeting of the big manufacturers and research
and development, both at universities and in private companies. You know, theft of intellectual
property is probably the biggest economic danger overall. And how is the aviation sector in terms
of preparation for this? How are they responding? Are they standing up to the task?
It really depends. You know, aviation sector, again, is so broad.
That obviously includes cleared defense contractors, you know, the big prime contractors in the U.S. and Europe.
They've got very robust security programs naturally.
But if you think about airports, for example, an airport could be owned by a local metropolitan authority.
It could be owned by the state.
It could be a mix of, you know, private ownership of parts of the terminal. And so you've got a lot of different
stakeholders. And oftentimes everyone assumes that everyone else involved is responsible for
security. You know, we see that a lot where there's not necessarily one standard that everyone's
meeting and it's a cost center that gets pushed off to other people who are involved in the
process. Additionally, if you're a commercial airline or an airport, you've got a lot of partners that are plugging in.
You've got retailers, restaurants, third-party ticket sellers.
So there's a huge threat surface.
And all of this is happening in an environment that is both you have to think about protecting people's lives, making sure air travel is safe
is the top priority. And you've also got to do it in a way that's very timely and convenient. So
often security is sort of the last area of investment. And in my experience, it just
varies greatly from airline to airline and airport to airport. Some are doing a very good job. Others
have a lot of sort of commodity malware or minor nuisance issues.
And it's not necessarily just because of the competence of the people there or the investments they make.
Often they have very good security teams. It's just a very big security challenge.
You recently testified before Congress on this topic.
What specifically was their interest? What direction are they coming at this from?
Yeah, it was a great discussion with the House Homeland Security Committee. Chairman Ratcliffe
and others were very interested in, I would say, both the routine targeting for economic purposes,
especially theft of intellectual property. They're very concerned about that because aviation is,
you know, by some estimates, America's biggest export sector aviation is, you know, by some estimates,
America's biggest export sector. So, you know, it's obviously could be very detrimental to the
U.S. economy. They're concerned about intellectual property theft. But a lot of questions did focus
on the ability to disable airplanes or to pose a lethal threat. That's obviously more their
remit and focus. And it was a primary focus of a lot of the questions that we got.
I do think it is important to keep in mind that cyber espionage does provide a front into these
networks that could be used to disable operations. But the only thing we've seen actually happen so
far has been disrupting the ability of airlines, for example, to coordinate flight plans. Pilots
sometimes get flight plans distributed on their iPads or
something like that. Those kind of systems are not going to hurt traveler safety. They just won't
take off if there's a problem. But you could absolutely disrupt an airline's operations
for a short period of time by going after those systems. And we have seen that. So
the Homeland Security Committee was concerned about everything from economic threats,
but especially focused on the potential for lethal threats. Sometimes we get questions about
China's involvement in intellectual property theft and wasn't there an agreement to sort of
stop that. On the one hand, I do think Beijing has mostly lived up to their commitments to not
steal intellectual property directly through cyber means.
They use cyber means to maybe help target it and other elements of national power.
But direct cyber theft, we did see that drop off very significantly.
Aviation, unfortunately, because it's so closely related to military capabilities, that is not an area where we've seen a drop off.
So that's sort of good news, bad news. Most American businesses face less direct risk of cyber a more intense focus on intellectual property theft of the aviation sector.
Good news for many of your listeners, but it's more risk than ever if you're working in aviation.
That's Christopher Porter from FireEye.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
informed. Listen for us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in
Maryland out of the startup studios of DataTribe
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team
is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick
Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your