CyberWire Daily - Hacktivists may be warning Russia and Iran against interfering in US elections. Britain on alert for Russian moves against infrastructure. Facebook preps for Congress. Ransomware updates.
Episode Date: April 9, 2018In today's podcast we hear about the curious case of hacktivists who may be slugging for Uncle Sam. Maybe. Britain's NCSC warns of battlespace preparation for a campaign against critical infrastruc...ture. Facebook prepares for its appearance on Capitol Hill. Facebook also cancels a plan to share anonymized medical data for research purposes. Atlanta continues to recover from SamSam. And some good news: Malwarebytes has solved LockCrypt ransomware. Robert M. Lee from Dragos with his take on why indicting foreign hackers is a bad move. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Are hacktivists slugging for Uncle Sam?
Maybe.
Britain's NCSC warns of battle space preparation
for a campaign against critical infrastructure.
Facebook prepares for its appearance on Capitol Hill.
Facebook also cancels a plan to share anonymized medical data for research
purposes.
Atlanta continues to recover from Sam Sam and some good news.
Malwarebytes has solved lock crypt ransomware.
From the Cyber Wire studios at DataTribe,
I'm Dave Bittner with your Cyber Wire summary for Monday, April 9th, 2018.
Late Friday and into the weekend, what's thought to be a group of hacktivists
defaced Iranian and Russian websites with a crudely rendered American flag
and the message, don't mess with our elections.
The defacements were relatively crude.
The flag is old-school ASCII art, for one thing, but disruptive nonetheless.
The hackers exploited the recently disclosed Cisco CVE-2018-0171 smart install vulnerability
to reset routers to their defaults and display their
message.
Most observers are so far inclined to accept the hackers' claims at face value, patriots
who took advantage of unpatched routers to mess with Russia and Iran.
As they so often do, Motherboard has gotten in touch with people purporting to be the
hacktivists to see what they're up to.
As the magazine puts it, they were in touch with, quote, someone in control of an email address left in the note, end quote.
The hackers who claimed responsibility told Motherboard, quote, we were tired of attacks
from government-backed hackers on the United States and other countries. We simply wanted
to send a message, end quote. So the message has been sent and received. It also appears that the message has
for the most part been removed. And don't try this at home, kids. The Cisco vulnerability has
been exploited elsewhere, not just in Russia and Iran, and not just for hacktivist purposes,
since it became known. Britain's NCSC warned late last week that Russian threat groups were harvesting NT land manager credentials
in apparent preparation for an attack on the UK's critical infrastructure.
The National Cyber Security Centre advised that Russian state actors
have been prospecting engineering and industrial control firms since March 2017.
The warning was in at least one respect indirect. The NCSC didn't
name Russia in its own advisory, but it did link to the similar announcement from US CERT last
month, which of course did name Russia directly. Thus, there's little doubt as to whom they have
in mind, and the British press has little doubt about whom the NCSC meant.
and the British press has little doubt about whom the NCSC meant.
Tensions remain high between Russia and the UK over the recent nerve agent attack in Salisbury.
Sergei Skripal, former GRU officer and MI6 spy,
victim of an attempted assassination with the Novichok nerve agent,
has regained consciousness and is out of critical condition.
His daughter Yulia, also out of critical condition,
has refused to talk to the Russian consulate that sought to check on her welfare.
British sources say the Skripals may be relocated with new identities to one of the other Five Eyes, probably the US.
Possible Russian reprisal in cyberspace to diplomatic measures and financial sanctions has been a matter of some concern.
Tension flared anew with Friday's imposition of sanctions on Russian companies by the U.S. Treasury Department.
And a chemical agent attack by Syria's Assad government against insurgent positions
brought very harsh U.S. criticism of Russia and Iranian support for the Animal Assad, as U.S. President
Trump called the Syrian leader.
As Facebook prepares to face its inquisitors on Capitol Hill this week, the platform's
recent upgrades get generally poor reviews.
It introduced a way to recall messages after users complained that messages they'd received
from CEO Mark Zuckerberg had disappeared from their accounts.
Facebook had not permitted regular users to do this,
but they hastily introduced a feature permitting this at the end of last week.
Reception has been poor, with commentary from Wired being representative.
It looked like a hasty reaction.
The company has suggested more data misuse may come to light, so have the whistleblowers, who've opened up the data scandal.
Bad Optics has apparently induced the company to pause, as it's been put, an attempt to get medical facilities to share anonymized patient data.
The stated intent was to enable data so shared to be used for research conducted by the medical
community. But Facebook has decided to leave this alone for a while, at least. As the company put
it in a statement quoted in CSO, quote, last month we decided that we should pause these discussions
so we can focus on other important work, including doing a better job of protecting people's data
and being clearer with them about how that data is used in our products and services.
End quote.
The City of Atlanta continues to struggle back from its SAMSAM ransomware infestation.
Business Insider reports that last Thursday, Atlanta took down its Department of Watershed
Management website indefinitely for server maintenance and updates.
As of today, the site appears to be accessible, but it's also got the city's Ransomware Incident
Update banner prominently displayed across the top.
The city says it's still investigating and remediating, but that it's seen no evidence
that personal information has been compromised.
And finally, some good news on the ransomware front. Malwarebytes researchers have found a weakness in the encryption scheme Lockcrypt uses.
They can use that weakness to decrypt files ensnared by Lockcrypt.
Lockcrypt has been irritating, but Malwarebytes gives the criminals behind it poor reviews.
Quote, Lockcrypt is an example of yet another simple ransomware created and used by unsophisticated attackers.
Its authors ignored well-known guidelines about the proper use of cryptography.
You can contact the Malwarebytes support team for help.
And bravo, Malwarebytes.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times
faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com
slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Robert M. Lee he's the founder and ceo of dragos uh robert welcome
back um i saw on twitter that you had made some comments about the risk of indicting foreign
hackers and i wanted to go through that with you what do we need to know about this absolutely when
you're looking at indicting folks you're talking about a criminal process right the department of
justice gets involved and it can be extremely important if you're looking at indicting folks, you're talking about a criminal process, right? The Department of Justice gets involved.
And it can be extremely important if you're talking about standalone criminals.
But if you're talking about nation state operations, which the indictments have been typically about,
we saw Chinese indictments with Wild Wild West styled posters of Chinese hackers and Iranian indictments, now Russian indictments.
of Chinese hackers and Iranian indictments, now Russian indictments.
It serves little purpose and honestly has a lot of risk associated with it.
And the first problem is that it makes it about the people and not about the state.
The problem isn't that there were seven members on a team in Iran that compromised infrastructure.
The problem was that the Iranian government built and authorized this team to do so.
So by making it about the individuals, we basically allow them to become scapegoats for that government instead of holding the government accountable.
The other problem is these aren't criminal acts to them.
These are their operations that they're running as part of military intelligence operations.
And we do the exact same thing.
So it's not about, oh, well, they do it and we do it.
It's OK.
No, it's about making the point that we don't want to see U.S. military members on Wild Wild West style posters in China, Iran and Russia.
It's not supposed to be about the individuals. It's about the state.
So it was not only the protection of our own people, but actually holding states accountable and letting them know when they do cross the lines of what we perceive to be inappropriate use of operations.
We need to make it about the states and not the people.
And it seems like when these reports come out that there's little hope that these folks will ever be arrested or brought to justice or anything like that.
I suppose some of them have been nabbed when they've taken vacations in countries that have extradition agreements with us.
So it seems more symbolic than anything.
It is. I think it's more political in nature, and it has value for showing that a certain administration is going to be taking this seriously.
I'm usually not so cynical about actions, but I am fairly cynical about this because I think the aspect of nabbing one of these folks is utterly
ridiculous. Again, if it's a criminal who's been doing cybercrime, broke international law around
that or domestic law that we care about, then sure. But if it's a military member for another
state or operating on behalf of their military or intelligence services, we shouldn't be nabbing
these folks and trying to hold them accountable. It's, again,
utterly ridiculous to me. And does there seem to be a pattern to when we consider them having
crossed the line, gone beyond sort of tit for tat espionage into this point where we
declare them criminals? There's not a clear line. And I think that's part of what makes this
extremely risky is there is not a clear line for anybody on what we do or
do not allow as a state for any state um we've seen i've talked about before where we've had
hacks against infrastructure and power outages in ukraine or malware designed to kill people
in saudi arabia and we don't utter a whisper about it. And we basically erode the norms by not addressing those issues.
And we typically say, well, there's red lines.
If you cross them, we'll let you know.
And then people ask, well, what are the red lines and what are the repercussions?
We're like, we'll tell you when it happens.
And that's a strategy of strategic ambiguity that doesn't benefit anybody.
And if you're Iran, Russia, China,
et cetera, you're still trying to figure out what exactly is the USC is normal operations,
because obviously we're doing operations in those countries as well from a cyber component.
So what is good use and bad use of these capabilities? And you're just going to have
trouble defining that because each state takes advantage of it and each state takes advantage
of the ambiguity. So of all the states are going to take advantage of the ambiguity and run their operations like they want.
The very minimum, let's just keep people's faces off all the West Busters.
All right. Robert M. Lee, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe
and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening. We'll see you back here tomorrow. Thank you.