CyberWire Daily - Hacks, and rumors of hacks. Burisma incident under investigation. SharePoint exploitation. How to spark a run on a bank. WeLinkInfo taken down. Phishbait update.
Episode Date: January 17, 2020Hacks and rumors of hacks surrounding US-Iranian tension. Ukrainian authorities are looking into the Burisma hack, and they’d like FBI assistance. The FBI quietly warns that two US cities were hacke...d by a foreign service. The New York Fed has thoughts on how a cyberattack could cascade into a run on banks. Arrests and a site takedown in the WeLeakInfo case. And a quick look at the chum being dangled in front of prospective phishing victims these days. Emily Wilson from Terbium Labs on synthetic identity detection. Guest is Eric Haseltine, author of The Spy in Moscow Station. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/January/CyberWire_2020_01_17.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Hacks and rumors of hacks surrounding U.S.-Iranian tension.
Ukrainian authorities are looking into the Burisma hack and they'd like FBI assistance.
The FBI quietly warns that two U.S. cities were hacked by a foreign service.
The New York Fed has thoughts on how a cyber attack could cascade into a run on banks.
Arrests and a site takedown in the WeLeakInfo case.
And a quick look at the chum being dangled in front of prospective fishing victims these days.
being dangled in front of prospective fishing victims these days.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, January 17, 2020.
U.S. jitters about the possibility of Iranian cyberattacks persist.
While many of the warnings are founded largely on a priori probability,
CyberInt reminds everyone that Iran does have a track record in cyberspace,
and it's probably worth reviewing that record given recent events.
During heightened periods of tension, misdirection is often successful,
and Fortune cites experts who caution against jumping to conclusions.
False flags are always a possibility, and Russia has flown an Iranian false flag in the past.
Britain's GCHQ and the American NSA this past October issued a joint warning that the Russian threat group Turla had used Iranian infrastructure to carry out a range of operations.
While most of the cyber activity arriving in the wake of Iranian proxy attacks on U.S. personnel and installations in Iraq and the U.S. drone strike that killed the commander of Iran's Quds Force has been low-level defacement of low-level websites, there have been more serious instances of online threats.
Families of deployed U.S. paratroopers are receiving harassment in social media.
The source is unclear, the Military Times reports.
The 82nd Airborne Division deployed its 1st Brigade Combat Team
to the region early this month in response to increased tension.
The division is briefing family members back in Fort Bragg
and Fayetteville, North Carolina, on how to stay safe online
and how to respond to threats made in social media.
There are signs, Military Times says, that the division's Morale, Welfare, and Recreation
Network, a communications network that supports soldiers and their families in ways its name
suggests, had been compromised, and that hostile actors had used information gained from the
compromise to threaten or frighten families.
A representative sample of the messaging is,
quote,
If you like your life and you want to see your family again,
pack up your stuff right now and leave the Middle East.
Go back to your country.
You and your terrorist clown president brought nothing but terrorism.
You fools underestimate the power of Iran.
The recent attack on your expletive bases was just a little taste of our power.
By killing our general, you dug your own grave.
Before having more dead bodies, just leave the region for good and never look back.
So there.
Again, it's unclear whether this particular psychological operation is being directed from Tehran.
It's just as likely to be the work of inspired freelancing amateurs.
It's just as likely to be the work of inspired freelancing amateurs.
Reuters reports that Ukrainian authorities have asked for FBI assistance in investigating the alleged Burisma hack by Russia's GRU and related matters.
The White House also says U.S. President Trump may raise the Burisma affair with Russian President Putin.
It's worth noting that the Burisma hack, while Area 1's report has been widely accepted, is still a developing story.
As E&E News points out, the story absolutely passes the laugh test, but the Area 1 report may not have entirely closed the case.
ZDNet reports that the FBI has quietly warned industry partners that two unnamed U.S. municipalities have been successfully breached by nation-state hackers. Their preferred attack has come through the SharePoint CVE-2019-0604
vulnerability, and thus city governments and others who use SharePoint should look to their
patching. The Bureau doesn't say which nation-state was behind the attack, or even if there was more
than one nation-state involved. CVE-2019-0604 has been popular with both spies and crooks.
Looking at the spies, ZDNet notes that Palo Alto Networks has seen China's emissary Panda
making its way into targets through this particular flaw.
But of course, which country prompted the FBI's warning remains publicly unknown.
A report by the Federal Reserve Bank of New York concludes that a cyberattack on a small
number of banks could propagate rapidly through the U.S. financial system through the wholesale
payments network.
It's not necessarily that the malware itself would spread, but rather the way an attack's
effects would be amplified by practices like liquidity hoarding, creating a virtual run on the bank.
The Fed glumly calls the study a pre-mortem analysis,
which seems more pessimistic than alternatives like assessment, diagnosis, or prognosis.
We know, we know, John Maynard Keene said that in the long run,
we are all dead, and we get it.
Heck, our sports desk even keeps up Father Timetime-is-undefeated memento
around. But come on, Fed economists, throw us a bone here and give us something to hope for.
Pre-mortems forsooth. U.S. authorities have seized WeLeakInfo's domain as part of an
international law enforcement operation against the online market that dealt in compromised
credentials. Two men associated with WeLeakInfo have been arrested,
according to Computing and others,
one in Northern Ireland, the other in the Netherlands.
Bleeping Computer observes that one need look no farther than this particular case
to see that the authorities, in general and around the world,
take a very dim view of those who traffic in stolen credentials.
What's the fish bait most commonly used in the wild?
What subject lines do the hoods think you, friend, are going to swallow, hook, line, and sinker?
Know Before says it's seeing these.
SharePoint, approaching SharePoint site storage limit.
Microsoft, Anderson Houck has shared a whiteboard with you.
Office 365, medium severity alert, unusual volume of file deletion. FedEx,
correct address needed for your package delivery. USPS, your digital receipt is ready. Twitter,
your Twitter account has been locked. Google, please complete the required steps. Cash App,
your account has been closed. Coinbase, important, please resolve error now. And, would you mind taking a look at this invoice?
Would I mind?
Yes.
Yes, I would.
What do these exhibit?
That the fish tend to bite from fear, from greed, or out of a desire to cooperate.
And finally, we close with another bit of good news.
Bitdefender has released a decryptor for Paradise Ransomware.
Bravo, Bitdefender.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Emily Wilson.
She's the VP of Research at Terbium Labs.
Emily, I know something that you all have been tracking with the work you do with fraud and identity protection and so on is tracking this development of synthetic identity detection.
What are you looking at when it comes to that?
are identities that are pieced together using either components from multiple real IDs or some combination of real IDs and fake information. And so synthetic IDs might, for example, mean
using a real address, someone else's date of birth, for example, and perhaps the social security
number of a child or a social that hasn't been issued yet.
And so with that composite information, then a criminal might go and apply for credit,
for example, and try and open a credit card or create a credit profile in some way.
And if we think about that situation and say, well, surely they must flag that and say,
you know, a three-month-old can't possibly be trying to take out a $10,000 loan. You might hope that, but as with so many things in this space, that's simply not true. However, not all hope is lost in theory. Cautious optimism.
A couple of years ago, we heard that there was a tool in development from the Social Security
Administration that
would be issued to banks and other financial institutions and perhaps a few others in this
sort of credit space that would allow them to verify information with whatever loans or requests
they have coming in against the Social Security Administration database. Again, this sounds like
something that should have existed all along, but it doesn't. It didn't. And it might now. So that information, that tool first kind of came
up a couple of years ago, and it looks like heading into next year, this may finally become
available to some of these institutions. And I'm very curious to see what this uncovers about
synthetic identity fraud and the rates in which
certain groups have been exploited for this. Because right now, the numbers are a little bit
all over the place. We know it's very popular for automobile fraud, for example, but it's been a
really hard thing for institutions to track. And as they have access to this tool, I think we're
going to start to see some interesting shakeups there.
Are there any concerns that the tool could be used in the other direction, that bad guys could slip someone money who has access to this tool to get legit social security information?
Absolutely.
That's almost certainly going to happen.
I think it is only reasonable to assume that that is going to be
the case. The same way that criminals have access to things like DMV databases, voter databases,
they gain access to hospitals. One would hope that whoever is developing this tool for these
financial institutions and social security administration are going to think about ways
to keep that safe.
But no system is infallible. And you're going to have a lot of people from a lot of different
institutions who are going to be trying to use this to run a variety of queries. And so I expect
that we will see fraudulent access. I think it will be a few years before we hear about that
happening. But I'm hoping that on balance, this will allow these institutions to do
a check of their backlog of requests, for example, and say, hey, you know, it occurs to me that
if there's a social security number that hasn't been issued yet, they maybe shouldn't have six
credit cards. It's really hard with something like this where you want to assume that it has
existed the whole time and to find out that only just now it's potentially coming into play.
And of course, these are estimates about when it's being released, right? The estimates are
that starting in summer of 2020, a handful of companies will begin to be able to
check this service. Now, of course,
those companies also needed to help fund this service, and they are responsible to pay a fee
going forward on this service. And so I think we can hope that whatever they've paid to put
this together, they will be able to reap the benefits by preventing fraud on however many millions of accounts. If we find out that however many million children have had their social
security numbers used to create these synthetic IDs, how do we go about fixing that? Do we reissue
those socials? Do we provide credit freezes for those children? Do we begin credit monitoring
on these two-year-olds?
What does the aftermath look like? How do you inform parents or guardians of that situation?
Where do we go from here? And what is the next thing that criminals are going to do to continue to try to exploit this? And so those are some big questions that we need to be thinking about now
before companies go in and start finding this information so that we can be
ready when that information is available. All right. Well, Emily Wilson, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant. My guest today is Eric Hazeltine.
He's former director of research at NSA,
and prior to that was executive vice president of Disney Imagineering.
His new book is The Spy in Moscow Station,
a counter-spy's hunt for a deadly Cold War threat.
The book is about a six-year hunt for a devastating leak in our national security that was getting a lot of our assets, that is Russian citizens who were spying for us, arrested and executed.
got the very strong impression that certain countries, especially Russia,
were far advanced in certain kinds of spy tradecraft over us.
And I needed to raise people's awareness of it.
And that was the main reason that I wrote the book and that the main character in the book, Charles Gandy, wanted to have his story told.
Well, take us through the story.
I mean, give us an overview
of how this all played out. Well, Gandhi went to Moscow in the spring of 1978,
and it just so happened that when he was there, they broke into a false chimney because someone
had heard noises there. And they found an antenna and some electronics connected to that antenna that
were clearly some kind of eavesdropping device the Russians had snuck into the embassy. And it
was pointed at the ambassador's office. Gandhi actually got his hands on the antenna and
listened through it with his special gear, and he figured out what was happening.
And what he figured out was that the Russians had got
some kind of implant that was listening to some kind of text device. It could have been a printer,
could have been a typewriter, could have been a enciphering machine. And they were sending it
out in bursts. And they were very, very difficult to detect. Basically, what they did is that they
hid in plain sight.
And so he knew, so he went to the chief of station and said, this is what's happening.
And basically nothing was done and no one believed him. And people continue to get arrested and there continued to be problems. And this, this whole thing did not get resolved until six years later.
Because a lot of what was happening is CIA said, well, no, what he's talking about didn't really happen.
What he saw didn't really happen.
But what happened was in 1983, the French discovered an incredibly sophisticated Russian bug in one of their embassies and told the head of NSA about it.
And they sent it to Gandhi. And they said, hey, you got to do something about this. But
what had turned out to happen in about 1981 or so, the director of CIA was so ticked off at Gandhi
and the trouble that he was making about this problem that he ordered NSA to get out of the business and to stand down.
And so when the French bug came and the head of information security at NSA, a really colorful
guy named Walt Dealey, came to Gandhi and said, well, you got to get all over this. If they're
doing this to the French, who are a third-rate power, what are they doing to us? They must have
stuff there we can't even find. And Gandhi said,
I can't. The CIA director has told me can't do it. And while Dealey says to him, what would it take?
And jokingly, Gandhi says, well, you'd have to get a letter from President Reagan.
So three days later, Dealey comes back and he has a letter from President Reagan. He had gone to the
White House and gotten Reagan to sign a letter
authorizing Gandhi to go over to Moscow and solve the problem.
This is a risky move on his part to go over people's heads to the president himself.
There could have been repercussions for this, yes?
Absolutely.
It was a huge career risk because he went over his boss's head at NSA, the Secretary
of Defense, the National Security Advisor. But Dealey was a guy who was a really rough character.
He had no college education originally. He joined NSA as a sergeant and clawed his way up to be the
number three official at NSA. And he was a street fighter. He really was a tyrant. And you can think of him as kind of a
Patton-like character. And it reminds me of something Admiral King said about warfare in
the Atlantic during World War II. He said, when the shooting starts, go get the sons of bitches.
And there's no doubt that that was Dealey. And, you know, he didn't care what people thought of
him. He cared about the mission and he was going to do what he thought was right.
And he didn't care what anyone else thought.
And that's a tough person to work with.
But in cases like this, that's what you have to have.
And although the story is mostly about Gandhi, in a way, Walt Dealey is the real hero because
he had the courage to go to the White House and get this thing unstuck. And what is your sense of where things stand today in terms of the communications and
collaboration between our own intelligence agencies? It's very poor, in my opinion. In fact,
I wanted to write this book when I first learned about the story after I left the government. And
Gandhi said, no, you're going to destroy the relationship with CIA and NSA.
And I said, that's impossible.
He said, what do you mean?
I said, well, you know, after 9-11, I was head of science and technology at NSA.
I went to my counterpart at CIA, a deputy director there.
And I said, hey, let's cooperate.
And he said, al-Qaeda is our target.
You're our enemy.
Get out of here.
Let's cooperate.
And he said, Al-Qaeda is our target.
You're our enemy.
Get out of here.
I can't tell you how many meetings I was in across the intelligence community after 9-11 where someone would say, oh, I guess it's going to take another 9-11 to get us to cooperate.
And I would say, wasn't one enough?
What is your outlook? I mean, are we doomed by the nature of us being humans with these tribal tendencies?
Are we always going to have this infighting? Is there any hope for working beyond this and
everybody working together? We're never going to stop people from being tribal. The question is
whether we let it hurt us more than it helps us. In the intelligence world, competition is actually essential.
You don't want groupthink.
You don't want everybody reaching the same conclusion
because they're all on the same page.
You want a diversity of opinions.
You want there to be tension
because no one gets it right all the time.
And in fact, that's why CIA was created.
The Washington establishment realized that if why CIA was created. The Washington establishment
realized that if the Pentagon was the only one who got to say what the Russians were doing,
they would naturally say, oh, the Russians are going to wipe us out tomorrow in order to get
bigger budgets. So they created CIA to be a counterweight to that. So it's not a matter of
whether tribalism is bad. Tribalism is a fact of life. It's going to be there forever. But great leaders learn how to harness that and turn it in a positive direction. So I think that's the important point. If you try to fight human nature, you are going to lose every time. You can't fight it. It's a wave. So instead of being swamped by that wave, you have to learn how to surf that
wave. That's Eric Hazeltine. His new book is The Spy in Moscow Station, a counter-spy's hunt for
a deadly Cold War threat. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
informed. Listen for us on your Alexa smart speaker too. The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your