CyberWire Daily - High-grade grifter. Twitter’s disinformation potential. Hacking vaccine research and doxing trade talks. What Iran’s hackers are up to. And CISA says, for heaven’s sake, patch already.
Episode Date: July 17, 2020The Twitter hack is looking more like high-grade, low-end crime. It also worries people over the disinformation potential it suggests. People care, they really do, that someone hacked COVID-19 biomedi...cal research (we’ll explain). Australia joins the UK, Canada, and the US in blaming Russia for Cozy Bear’s capers. Russia says it didn’t do nothin’. Rob Lee from Dragos with thoughts on the Ripple 20 vulnerabilities on industrial control systems. Our guest is Sal Aurigemma from University of Tulsa on fake ANTIFA twitter accounts. And CISA’s serious about getting the Feds to apply Tuesday’s Windows patch. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/138 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash N2K code N2K. Thank you. on the Ripple 20 vulnerabilities on industrial control systems. Our guest is Sal Aragema from University of Tulsa
on fake Antifa Twitter accounts.
And CISA's serious about getting the feds
to apply Tuesday's Windows patch.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Friday, July 17th, 2020.
Twitter's investigation of its Wednesday afternoon hack continues, amid much expert worry about
how the ill-intentioned could use a hack like this one to disrupt political campaigns and
the organization of polling.
But it now seems probable, if surprising, that Wednesday's hack was criminal and not
directly state-organized.
Reuters reports pre-hack chatter on a gray market forum that's frequented by gamers,
swappers, and skids, and this particular chatter offered to sell Twitter accounts.
That suggests low-level criminal activity as opposed to state-directed espionage.
It's not just that offers to sell some stolen commodity appeared. State-run operators do
that too, often when they wish to be mistaken for simple criminals. Consider NotPetya as one example.
Sometimes when they're letting criminals whose services they've suborned profit from their
hacking, and occasionally when they themselves wish to profit directly. But in this case, the outcome
seemed messy and disproportionate to the
relative smoothness and ambition of the attack. That looks like crime. Reuters quoted Allison
Nixon, chief research officer at Security Consultancy Unit 221B, who said, quote,
when you have these less professional criminal groups, you see chaotic outcomes. One member
might stumble across a
powerful hack and it spirals out of control. That's probably what happened here, end quote.
So, good hack, bro. Now, what are you going to do with it? I know, let's do a Bitcoin scam like
the Nigerian prince's widow. Whatever. Yeah, totes. It's happened before. When the Mirai
botnet first appeared,
it took down Internet service across a large section of the U.S. Atlantic seaboard.
Wasn't, as widely believed at the time, a Russian shot across western bowels,
but rather the work of a student at Rutgers who was pursuing some vaguely conceived grifting
by getting a competitive advantage in selling Minecraft commodities.
getting a competitive advantage in selling Minecraft commodities.
Krebs on Security has published some suggestive, albeit preliminary and inconclusive evidence that it was indeed a well-executed but not fully thought-through criminal scam
executed by a sim-swapper connected with the Chuckling Squad gang,
perhaps by a gentleman who uses the hacker name Plugwalk Joe.
He's believed to be an early 20-something British student somewhere in Spain.
In any case, investigation continues and the FBI has taken up the case.
A great deal of concern has been expressed about the potential of such Twitter hijacking
to serve the purposes of disinformation and influence operations.
It didn't in this case, but given the extent to which, alas,
people get a lot of their news in the form of tweets,
the prospects are sobering.
They're even more sobering when one considers
how Twitter has come to be used for emergency notification.
Twitter's own security certainly took a black eye.
Perhaps the incident will serve as a learning experience
for social media generally.
So Cozy Bear lapped up some COVID-19 research honey. So what, you might ask? So the Russians
get a vaccine too. Big deal, right? Well, putting aside the issue that it seems only reasonable that
even biomedical researchers shouldn't have their honestly earned bread stolen from their children's mouths.
There are also issues of free-riding on research costs.
And then there are also considerations of privacy.
Bloomberg interviewed a Darktrace co-founder who says that Cozy Bear's hack of COVID-19 biomedical research put patient data as well as intellectual property at risk.
The research inevitably involves underlying patient data as well as intellectual property at risk. The research inevitably involves
underlying patient data. Darktrace thinks that collecting such data can drive AI modeling that
would accelerate vaccine development. A problem they see is the rise of patients losing confidence
that their health data would be protected, that this might even discourage people from, for example, going to get tested.
Bloomberg doesn't go into this, but unauthorized access also always raises concerns about data corruption,
whether deliberate or inadvertent, so the incident is worth taking seriously on a number of levels.
Australian intelligence services have joined their Five Eyes sisters in the UK, Canada, and the US in pointing to Russia's cozy bear,
as the actor behind cyber espionage directed against such research, the Sydney Morning Herald reports.
The Herald also has an explanation of how the stolen trade documents British Foreign Secretary Robb mentioned were used in last year's British general election. They served to drive the Labour Party's retrospectively absurd contention that the Tories intended effectively to privatize the
National Health Service and sell it to the Americans. Russia's embassy in London, responding
to unfriendly statements by Foreign Secretary Dominic Raab, said that Russia didn't hack any biomedical research, didn't attempt to influence any democratic elections, and that it reiterated its offer to jointly investigate and adjudicate cyber issues.
The statement closed with this, quote,
We have also taken note of the Foreign Secretary's suggestion that the UK government reserves the right to respond with appropriate measures in the future.
These are familiar tropes in Russian cyber diplomacy.
We trust the word processors in Kensington Palace Gardens, Wisconsin Avenue, Charlotte Street, Canberra Avenue,
and for that matter, Messine Road have them loaded as shortcuts. That saves a lot of time and typing. We're
particularly struck by the routine Russian expression of interest in seeing the evidence
and coming to a mutual understanding. We're sure we'll hear it again. Finally, CISA is serious about the Windows DNS server vulnerability mitigated this week.
Emergency Directive 2003 tells U.S. federal agencies to apply the patch by 2 p.m. Eastern
time today. And hey, that deadline is now in the rearview mirror. We hope you all got it done.
And we might add, what's sauce for the feds is sauce for the geese and ganders on
Main Street, too.
Please patch.
Transat presents a couple
trying to beat the winter blues.
We could try hot yoga.
Too sweaty. We could go skating.
Too icy. We could book a
vacation. Like, somewhere hot? Yeah icy. We could book a vacation. Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Conditions apply. Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families
at home. Black Cloak's award-winning digital executive protection platform secures their
personal devices, home networks, and connected lives. Because when executives are compromised
at home, your company is at risk. In fact, over one-third of new members discover they've already
been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The problem of inauthenticity online, especially on social media,
is a complex issue for social media providers to tackle.
on social media is a complex issue for social media providers to tackle.
They can run the gamut from celebrity impersonators to sophisticated state influence campaigns.
Sal Arajema is Associate Professor of Computer Information Systems at University of Tulsa, and he and his colleagues have been researching inauthenticity online,
including fake Antifa Twitter accounts.
The core issues around this topic in general, but definitely specifically for the fake Antifa Twitter accounts. The core issues around this topic in general,
but definitely specifically for the fake Antifa US account, kind of comes down to that, you know,
a fake account was used to spread disinformation on Twitter. And while Twitter and other social
network platforms have gotten better at automated and manual fake account detection, and they're really
good at detecting bots now, it's still kind of a game of whack-a-mole. And the key issue of
identifying disinformation and stopping it being spread on and between social networks,
today it's an important task, but it's pretty much almost impossible to completely stop in a timely manner, given how we are operating on social media today.
Do you think that blocking inauthentic accounts is effective?
It definitely does a job in terms of preventing inauthentic accounts from continuing to spread disinformation and manipulating.
The problem is that the rapidity of whether it's automated or even individual setting up fake
accounts makes it so difficult to, once you stop a bad actor from spreading information,
the SOP now is basically, well, I've either already got another account set up or I can quickly and easily set up other accounts to continue my path.
And the echo chamber of the type of people that listen to these messages, whatever the content is, it's easy enough to get back into those groups even if a fake account or disinformation campaign is stopped.
even if a fake account or disinformation campaign is stopped, it's easy enough to get back into the flow of information because those communities and groups and the type of message you're looking for,
the confirmation bias that goes with the things that they're looking to read about and spread,
that doesn't change just because you get rid of a fake account. Social media platforms have
definitely gotten better at doing this, you know,
especially since the 2016 election interference by Russia and added in human review to help with
that. So they'll use these automated techniques to help elevate potential platform abuse and misuse
accounts so that humans can get more involved. But that's a timely process. So even in the case of the fake Antifa US account,
that account was reported.
We don't have the exact details
of how it came to Twitter's attention,
but that account was suspended within 24 hours
of that tweet, that famous tweet that went out.
But it took over 24 hours for Twitter to identify,
well, it is a known, you know, racist organization
that manually set up this account. And that challenge of attribution in social media is
the same problem we have with attribution throughout cybersecurity. You know, if we
jump to conclusions on who is doing certain types of activity on social media,
we run the chance of being wrong,
just like you've heard about the many reports in the past
of blaming an actor for inciting some information leak
or an attack on an organization.
So do I believe that the social networks
are working hard?
Absolutely.
The challenge we really have is a fundamental issue with social media.
Do the platforms themselves suffer from a bit of, I don't know, I suppose a perverse incentive of if they're all about engagement and people who are upset tend to be engaged, people who are
agitated tend to be engaged, is it best for their own interests to stir the pot a little bit or to
allow the pot to be stirred? Well, yeah, you definitely hit the nail on the head there.
Engagement, keeping people on the platform is what keeps these platforms in business
so that they can advertise and sell product and other services. So they are definitely at odds
with the problem. So there needs to be, for the social media perspective, is they need a clear
understanding of what is allowable and what isn't. The problem is that changes,
that bar keeps changing depending on what's happening.
Now, you would think that certain things are pretty clear,
like child sexual exploitation.
That one is a clear, easily defined,
and the social media platforms are very quick on that,
and there's no debate on whether they are for or against that. But then
when you get into the political realm in particular, and definitely for more divisive issues,
whether it's race issues in this country or whether it is pro-life movements and things
like that, you don't have the same straight cross the line and I can make a decision on this, it becomes much
more subjective. And that subjectivity is really the challenge for social media. And like, how do
they keep people there talking about these topics? Yet when it goes over the line of decency,
how do they stop it? And definitely the misinformation part. That's the disinformation
and misinformation spread is the biggest challenge for social media in this context.
Fake accounts are bad.
Yes.
What is the real bad part of fake accounts?
It's more the unimpeded spread of disinformation and misinformation that really has the societal impact.
That's Sal Aragema from University of Tulsa. If you want to hear an
extended version of this interview, head on over to thecyberwire.com. You can find it there in the
Cyber Wire Pro section. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Robert M. Lee.
He is the CEO at Dragos.
Rob, we recently had the story come by about this series of vulnerabilities that are collectively being called Ripple 20.
This has some deep implications and affects a lot of things.
What's your take on this?
Yeah, absolutely.
So it was research put out by JSOF Research Lab,
and they published it basically saying,
here's these vulnerabilities as they relate to the TCP IP software library.
So it's a library developed by TREK Incorporated.
It's used all over the place.
There's a big focus on IoT here,
but it's actually a little bit further reaching than that.
It's actually quite a bit popular in ICS,
or industrial control systems world as well. So impacting everybody from Schneider Electric to Rockwell,
to different industrial automation vendors.
You're going to find this impacts basically embedded devices
all over pretty much every industry,
but very heavily electric and oil and gas, transportation, that kind of world.
So everyone should take a look at it,
but especially the ICS security community is going to need to be on top of this one.
Anytime that you find vulnerabilities that are of any sort of criticality
that touch on underlining software stacks,
especially things like TCP IP stack.
Those are ripe targets for adversaries to take advantage of,
and they allow a lot of network-capable impacts.
And when we think about IoT, but also the IIoT or the industrial IoT,
and you start talking about industrial control systems,
network access is the game.
We don't think about system-level security
as much like enterprise,
where it's like, hey, let's protect this system.
It's more systems of system security.
And so network access, network control,
that's stuff that Navisery
is definitely going to take advantage of.
So I think these are pretty impactful.
My analysis and our analysis over at Drago
to our customers has been,
look, this is just a further acceleration of your plans around doing network monitoring and segmentation.
I think segmentation is a good strategy, but it's one that no matter how much you do,
it's kind of not what you think it is, especially with the digital transformation that companies are going through and hyper-connectivity.
But the importance of monitoring in those networks,
like network security monitoring and, in this case, ICS asset identification and monitoring,
that just became even more critical.
And if I can be the what's coming in the future kind of note,
is this doesn't surprise anybody in this community.
A lot of these software stacks,
a lot of these OEM components are all over the community.
It's not well documented of what vendor has what thing.
And when these devices get deployed for 15 or 20 years,
the research community, as they start poking,
are going to find way more things.
And the necessity to monitor in those environments
to be able to identify exploitation,
forget the patching piece, that's not the issue here,
but it's can you identify adversaries
taking advantage of these classes of attacks,
these classes of vulnerabilities?
That's where we're pushing people
because it's going to be more common, not less common.
Yeah, I mean, the reporting is saying
that these libraries have been out since the late 90s. And so, I mean, the reporting is saying that these libraries have been out since the late 90s.
And so, I mean, is it right to assume that that means that, you know, for many of these things, we're not going to be seeing bug fixes?
Yeah, we won't.
The big problem, and this goes to actually some of the things that, like, the I Am the Calvary people have been advocating over the years,
where they're saying, look, there's not a good software bill of materials for a lot of these companies.
When you go and talk to the Schneider Electrics and the Rockwells and the Siemens' of the world today,
they're putting a lot more focus on tracking their inventory and understanding what's there.
They're being pretty proactive, actually.
But that's for 10 years from now.
The state of the union for the next 10 years is all
of this equipment that you bought and purchased from yesterday on back 20 years ago. And that's
what we would call brownfield. And you're not making significant dents in the brownfield,
and you're definitely not doing it through patching. Some patches are critical. I'm not
saying don't patch, but patching as a strategy for a ton of equipment
in the environments that we don't even necessarily know
what all is on that equipment
is not the leading strategy here.
And for some of those vendors,
they don't know they have that software,
so they won't ever issue a patch.
And for some of the vendors,
they may even be out of business
in comparison when you bought it.
Patching isn't going to be as effective of a strategy
against these types of vulnerabilities in these environments
as it would be in enterprise.
Again, not saying don't patch, but it's not as effective a strategy
and it has a lot of complications to it anyways,
which is why we always push for, hey, at least be able to monitor.
If you know you've got vulnerable equipment or you don't even know if that equipment
has that software stack, that's fine, but you should be able to detect
when somebody is trying to access it or exploit it.
That's the leading strategy. Then you build in your protection
and response strategies around that.
All right. Well, Robert M. Lee, thanks for joining us.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast
of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
security teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Vaughn, Tim
Nodar, Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki,
Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave
Bittner. Thanks for listening. We'll
see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you.