CyberWire Daily - Hidden Cobra's RATs. IoT bugs. Patch Tuesday notes. Backdoored smartphones. Russian trolling, propaganda. DPRK short wave hacked?
Episode Date: November 15, 2017In today's podcast, we hear that the DHS and FBI have warned that two North Korean malware campaigns are active in the wild. IoT vulnerabilities are disclosed. :Smartphones ship with apparently in...advertent backdoors. Patch Tuesday was a big one, this month. Russian trolls took both sides in the Brexit vote. A pro-tip from the squints: a screenshot from a video game isn't, you know, actually gun-camera footage. Ben Yelin from UMD CHHS on the possible expiration of section 702 of the FISA act. Orion Hindawi, CEO of Tanium, with insights gathered from their annual Converge conference. And North Korean shortwave gets hacked to play Eighties rock. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
DHS and the FBI warn that two North Korean malware campaigns are active in the wild.
IoT vulnerabilities are disclosed.
Smartphones ship with apparently inadvertent
back doors. Patch Tuesday was
a big one this month. Russian trolls
took both sides in the Brexit vote.
A pro tip from the squints.
A screenshot from a video game isn't, you know,
actually gun camera footage.
And North Korean shortwave gets
hacked to play 80s rock.
I'm Dave Bittner with your Cyber Wire summary for Wednesday,
November 15, 2017. Hidden Cobra, better known as the North Korean threat actor Lazarus Group,
has been discovered distributing a remote administration tool to targets in the aerospace,
finance, and telecommunications sectors. The U.S. Department of Homeland Security, DHS, and the Federal Bureau of Investigation, the FBI,
in their warning yesterday called the rat fall chill. It appears to be an espionage tool.
DHS and FBI also issued a separate warning of a different North Korean bit of malware.
This one, a Trojan called Volgmer, is being distributed by spear phishing.
Two Internet of Things vulnerabilities have been disclosed. Cisco researchers report critical
vulnerabilities in a widely used Foscam C1 indoor HD camera. Cisco disclosed the problems
to Foscam, and Foscam has issued fixes.
disclosed the problems to Foscam, and Foscam has issued fixes.
And security firm SEC Consult reports finding exploitable issues in older Siemens SICAM remote terminal unit modules.
They're at the end of their life, and Siemens advises updating to newer versions.
Smartphones from OnePlus, their models 5, 3, and 3T, appear to have shipped with backdoors. It occurs in the
form of an engineer mode application that seems to have been a tool for development and factory
testing. Such tools are common, but they're typically removed or disabled before the products
ship. In this case, it appears to have been inadvertently left in place. It's not immediately
obvious, but the backdoor can be found with a little bit of searching. OnePlus is preparing a fix. Most security experts who've commented seem to think
that this particular issue isn't in itself a large problem. It is, of course, a less than large
problem, but they see it as indicative of a certain carelessness about security and privacy at OnePlus.
More generally, they see it as another example of the sort of flaw
that crops up in firmware all the time.
Orion Hindawi is co-founder and CEO of security company Tanium. The company recently hosted
their annual Converge conference in San Francisco, bringing together customers and high-profile
speakers for informational and educational sessions. I asked Mr. Hindawi what some of the takeaways were from the conference.
Within security, we've got a few challenges that in the last year have become very apparent.
And within manageability, we've got a few.
So, you know, on the security side, a lot of our customers are much more concerned about destructive attack than they were even a year ago.
So, you know, you think about a few years ago, probably before Sony,
and what most people were concerned about was this opportunity for attackers to come in
and take their data and take their IP potentially and use it to copy their products
or take their customer data and use that to sell it.
And now what I think a lot of our
customers are becoming more and more concerned with is this idea that they potentially could
be put out of business in one day. Because if every asset that they have, every computer that
they have is no longer functional, in most of our customers at this point, it would be existentially
threatening to their business. On the management side, I think we've got a real fundamental change that's happened in the last
couple of years, which is that IoT did not used to be IT's problem. So, you know, you think about
heart rate monitors and all this stuff that has entered into enterprise. It used to be that that
was a business line problem. And so if the business line was buying these things that
were network connected, they should really be thinking about how do you manage them. And I
think what's happened in the last couple of years is that there have been some botnet attacks that
were very visible. But also IT has realized that that's in some environments, the majority of the
assets on the network are becoming IoT. And that's only going to become more and more aggressive over
time. And so I think from a become more and more aggressive over time.
And so I think from a manageability side, a lot of our customers are starting to realize that between cloud and work from home and IoT, the vast majority of the assets that they now
have responsibility for didn't exist five years ago or 10 years ago. And so they've been forced to
really change the way that they're doing manageability
at a basic level, like inventory, or patching, or, you know, figuring out whether their
vulnerability is present, or, you know, doing software license management, all those things
have to pretty dramatically adapt to that new world.
Swinging back around to your Converge conference, you know, in this interconnected world, when it's easy to look up information and easy to watch videos online or online seminars, why do you think it's still important for folks to get together face to face?
that if they meet somebody who is a peer of theirs, and maybe it's over a beer, and they get a chance to really talk to them about how they're using our platform, what challenges they have in
their environment, where they see their future from the standpoint of the challenges that they're
seeing on the horizon, they can build trust. And what we're finding is that as especially within
the same industry, people meet a bunch of their peers when they have a question or they have a challenge.
They're starting to call them and really build a community that is organic.
It's not something that we're curating, that we're trying to kind of turn into this well curated environment, but instead something that's organic and that they're building themselves.
And so we've been trying to give them like our community site forums in which they can do this.
But we do really think that bringing them together, showing them how we're looking at
our platform, but also letting them interact with other people who are their peers in a face to face
setting really is irreplaceable. And, you know,
I definitely have friends of mine in Silicon Valley who think that we're all going to be
wearing HoloLens and that's going to be the future of human interaction and that they may be right.
But today, I'm not sure that it's easy to replace that ability to just sit down at a table and chat
about, you know, really something that if you look at many of our customers has become integral to their ability to do
basic manageability and security and have them discuss what's working, what's not working,
what advice they have for us, and really inform us on where we should be taking the company for
the next year so that when they come back a year from now, many of the things that they wish we'd
done, we were able to do. That's Orion Hindawi. He's the CEO at Tanium.
Both Microsoft and Adobe issued a large number of patches yesterday. Microsoft's 50-plus fixes
include some 20 that addressed Explorer and Edge-critical browser issues. Adobe issued 80
patches affecting Flash Player, Photoshop, Kinect, Acrobat and Reader,
DNG Converter, InDesign, Digital Editions, Shockwave Player and Experience Manager.
The UK reports Russian trolling during the run-up to the Brexit vote.
There was a lot of pro-Brexit chatter, but also a fair amount of Bremain support expressed from Russia.
University researchers at Swansea in California
tracked the activity and found that it included some genuine commentators, but also a very large
number of bots and what they called cyborgs, semi-automated bots that operate with a degree
of human involvement. A different research team, this one from Oxford and City University,
found much activity from 30 highly automated social media accounts in late June.
An Atlantic Council expert told the Times of London that in his view the content is typical Russian troll factory output.
As the council's Ben Nemo put it,
Pro-Russian, pro-Assad, pro-Ukraine rebels, anti-Clinton, anti-NATO, anti-white helmets, anti-EU.
The question is whether it's pro-Kremlin
or actually Kremlin-run. That's something which only Twitter can answer definitively.
As has typically been the case with Russian information operations, the goal seems to have
been inflammatory rather than programmatic. It didn't matter much whether Brexit or Bromain won,
as long as the legacy of the vote was enduring mistrust and embittered partisan feeling.
It's worth reminding ourselves that not all Russian information operations show comparable focus and discipline.
The stuff that comes from the Ministry of Defense, as opposed to the intelligence and security organs, is frequently clumsy.
Last week, the Russian Ministry of Defense published images and commentary
which it claimed showed the U.S. providing air cover to ISIS in Syria.
The larger claim, of course, is that the U.S. is playing a double game
and is complicit with Islamist terrorism.
Implausible on the face of it, the MOD's claim was quite specific,
claiming to show U.S. coverage of an ISIS convoy
fleeing the Syrian town of Abu
Kamal on November 9th. But as independent news organization and habitual Moscow gadfly Bellingcat
pointed out, the screenshot displayed was in fact captured from the video game AC-130 Gunship
Simulator Special Ops Squadron. This was probably a goof, since the Russian MOD took the story down soon
after exposure, but one wonders, who's the audience? Are they likely to buy it anyway,
at least for a while? If your audience is gullible and their attention spans short,
AC-130 Gunship Simulator Special Ops Squadron is good enough for the checkout line tabloid market.
Finally, is North Korean Supreme Leader Kim Jong-un a fan of 80s soft rock?
We're asking for a friend.
Someone, apparently a hacktivist, but it's difficult to be sure,
is also hacking around North Korean radio.
They got into the feed of a DPRK shortwave station,
regarded as a numbers station,
an occasional broadcaster of provocative
Zsuzs inspiration, and they played Europe's 1986 hit, The Final Countdown.
The American patriotic hacktivist Jester has been tweeting his approval of the unknown
hacker.
As Jester Actual puts it, quote,
A god among us has hijacked 6400 kilohertz and is playing The Final Countdown.
We're wondering because this sounds like a hack, but you never know.
Supreme Leader Kim has been known to hang with Dennis Rodman,
and once you've chilled with the worm, it's tough to know what to expect.
Mr. Rodman has said that Mr. Kim likes to listen to the themes to the movie Rocky and the TV show Dallas.
No mention of Swedish rock.
Still, it's not out of the question.
And Mr. Kim is also said to be into karaoke.
Better mic than missiles, we say.
Make karaoke, not kilotons, Mr. Kim.
And may Mr. Rodman be a force for good in your life.
Calling all sellers. Thank you. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking
and wickedly humorous film from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
You know, Section 702 of the FISA Act, the Foreign Intelligence
Surveillance Act, is getting ready to expire. And there are some legislators who have put forth
some new legislation to perhaps take care of some of the items in 702. Can you just fill us in?
What's going on here? Sure. So this law, which was enacted in 2008, and key details about it were uncovered with the Snowden disclosures in 2013,
it's going to expire at the end of this year, on December 31st.
So there is an effort to both renew the law and revise it.
The Trump administration supports renewing the law in full, not making any changes to protect civil liberties.
And members of Congress in both parties, I think,
find that outcome to be unacceptable and are proposing a bunch of changes. So the program
is designed to collect information from the communications of foreigners who are not located
in the United States. Problem, of course, is that it ends up incidentally encapsulating the
communications of many U.S. persons, because if I'm making a call to somebody on a terrorist watch list and that call is eligible for interception.
And if I say something on that call that might implicate me in some kind of crime, the government can use that to arrest and prosecute me.
And that's a warrantless search.
me. And that's a warrantless search. I mean, it kind of runs afoul of our Fourth Amendment principle that you shouldn't be able to search my stuff, search my communications without some
sort of warrant or prior authorization. And that's why opponents refer to this as a sort of backdoor
search of U.S. persons. The reform proposal that was passed by the House Judiciary Committee would
do, and it was passed in a bipartisan manner, is it would require a search warrant to search records of U.S. persons
for evidence of a crime or the commission of a crime. Now, civil liberties advocates, I think,
are disappointed because it doesn't go further. It still allows warrantless searches of that
information for other purposes, like for foreign intelligence purposes, or even to just do some investigatory work.
There was an amendment proposed in the committee by a Democrat and a Republican that would
have strengthened that provision to crack down on backdoor searches.
And it was defeated, mostly because the House leadership said that the bill would not pass
with that amendment included.
So I think there's a good chance that the House will pass that reform legislation.
The Senate's bill is much weaker in terms of protecting civil liberties than the House's bill.
And they're going to have to kind of reconcile all of this by the end of the year.
So I think that's a major battle to watch out for.
And what's your money on? Do you think 702 is merely going to expire,
or will they renew it, or will one of these new laws replace it?
I think that the most likely option at this point is that the clock is going to run out
because of the legislative backlog that Congress has, and they're going to be forced to do some
sort of temporary renewal, maybe for six months or for another year. I think there's enough disagreement
in Congress about the particulars of a reform bill that they wouldn't be able to get it done in the
six remaining weeks that we have in 2017, especially since Congress is only going to
be in session for, I think, maybe three of those weeks.
So I think it's mostly a time issue.
I would guess at some point in 2018, we'll see something pretty similar to the House bill,
where there'll be a reform effort better than the status quo,
but not something that some of the civil liberties groups like the Electronic Frontier Foundation, ACLU,
are going to be particularly enthralled with.
All right. Ben Yellen, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, the cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI
and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.