CyberWire Daily - Humanitarian organizations targeted. Memcrash extortion. Spring Break bug. Equifax breach update. Russian influence operations (and American "yelling and hollering").
Episode Date: March 5, 2018In today's podcast, we hear about a new campaign that targets humanitarian organizations with North Korean phishbait. Memcrash is now being exploited by criminal extortionists. Equifax losses fr...om last year's breach are said to mount. Germany says it detected the compromise of a secure government network before too much damage was done. They don't offer official attribution, but everyone else says it was the Russians. The Russians say they didn't do it. President Putin deplores "yelling and hollering" in the US Congress. Ben Yelin from UMD CHHS on section 702 reauthorization. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A special thanks to all of our Patreon supporters.
You can find out how you can support our show by visiting patreon.com slash thecyberwire.
A new campaign targets humanitarian organizations with North Korean fish bait. The Cyber Wire. says it detected the compromise of a secure government network before too much damage was done. They don't offer official attribution, but everyone else says it was the Russians.
The Russians say they didn't do it.
And President Putin deplores yelling and hollering in the U.S. Congress.
I'm Dave Bittner with your CyberW Wire summary for Monday, March 5, 2018.
McAfee researchers report finding a new campaign that targets international humanitarian aid organizations.
The actor behind the operation is not specified, although McAfee believes it to be a Korean speaker.
The malicious documents are baited with news about North Korean relief organizations.
The militia's documents are baited with news about North Korean relief organizations.
McAfee ties one persona, SnoopyKiller, at Mail.ru to the operation.
Memcrash distributed denial-of-service attacks have apparently been criminalized.
DDoS attackers seek to extort cryptocurrency from victims.
Akamai, who followed the DDoS campaigns closely and played a principal role in GitHub's swift recovery from what's being called the largest DDoS attack on record, has spotted
extortion notes buried in the attack traffic. The hoods are asking for Monero, which appears
attractive to them because of its greater relative anonymity than competing cryptocurrencies like
Bitcoin. Researchers at LGTM have discovered a vulnerability
in the widely used Pivotal Spring web development framework.
The issue, which they're calling Spring Break,
is said to be an easily exploitable arbitrary command execution bug.
The vulnerability is similar to problems with Apache Struts
that, going unpatched, were exploited in the Equifax breach of 2017.
And speaking of Equifax, its breach may prove to become the most expensive hack yet recorded.
CRN reports that the company's breach-related costs,
as disclosed in a Friday earnings conference call,
could rise to $435 million by the end of 2018.
This estimate comes on top of last week's news
that almost two and a half million more consumers than previously known had been affected by the
breach more affected individuals may come to light as the long process of investigation continues
germany's interior ministry says that relatively early detection of intrusion into a sensitive
network averted what could have been considerably more extensive damage than the government Germany's Interior Ministry says that relatively early detection of intrusion into a sensitive network
averted what could have been considerably more extensive damage than the government sustained.
The spokesman declined to offer attribution, but unofficial consensus is that the hack was a Russian operation.
Russia's Foreign Ministry denies any involvement
and cites the incident as another case of Western governments reflexively and in bad faith
blaming Moscow for anything that goes wrong in cyberspace.
Russia's President Putin offered a similar response to U.S. concerns about election hacking.
He wants to see the evidence.
It's a lot of, quote,
yelling and hollering in the United States Congress, says Mr. Putin.
To be sure, there is a lot of yelling and hollering on Capitol Hill,
but there's more to Russian election interference than that.
Anyway, he'd like to see the accusations forwarded to Russian authorities through official channels,
because of course he's solidly committed to the rule of law, or something.
Mr. Putin said in an interview on NBC Friday,
With all due respect for Congress, you must have people with legal degrees.
Investigation of Russian influence operations,
which aren't seriously in doubt,
have become, observers lament, increasingly partisan,
with yelling and hollering across the aisle.
Meanwhile, leaked documents are thought to provide some insight
into the operations of Russian troll farms and their objectives. Those objectives appear, as always, to include the overarching
goal of fomenting mistrust. Some think they see more specific economic objectives as well.
The U.S. House of Representatives Committee on Science, Space, and Technology released a
majority report last Thursday in which they allege that Russian social media exploitation
was engaged in attempts to suppress U.S. fossil fuel production.
The report itself notes that the Russians are, quote,
intent on exploiting existing divisions and social movements in the United States, end quote.
That seems right.
The social media engagement on energy development does seem in some respects difficult to distinguish from the general goal of creating chaos,
but there appears to have been some interest on the trolls' part in inhibiting natural gas pipeline development.
Still, in this case, it's difficult to separate signal from noise.
The troll farm was certainly busy on the social media front, and it remains unclear just how many followers they attracted.
Last fall, Facebook told California Democrat Senator Feinstein that, quote,
approximately 1.8 million people followed at least one Facebook page associated with the Internet Research Agency, end quote,
that is, the big St. Petersburg troll farm. But Wired reports that a researcher at Columbia University's Toe Center for Digital Journalism,
Jonathan Albright, thinks that in fact Facebook has considerably underestimated those numbers,
and that it really has no idea how many humans followed the trolls,
because it never really looked into the trolls' Instagram accounts.
Albright has, and he estimates that the answer is in the millions.
And what about those trolls, the ones from the Internet Research Agency, who were indicted as
a result of Special Counsel Robert Mueller's investigation? They're an interesting mixed bag,
according to an account in Fifth Domain. They're described as nine-to-fivers, interested in
building their careers and not terribly concerned about the nature of their work.
A former employee of the Internet Research Agency, one who wasn't indicted, told the AP that her colleagues, quote,
came to the factory and thanks to their personal qualities and knowledge of English, they were rapidly promoted, end quote.
Among them were a student of psychology with an interest in loneliness, a journalist who did stand-up comedy on the side,
and a wildlife management graduate from a little town near Irkutsk
who apparently thought of himself as a Siberian Jay-Z.
What are they teaching them at the Russian State Hydro-Meteorological University these days, anyway? days anyway. with agents, winning with purpose, and showing the world what AI was meant to be. Let's create
the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
We saw a recent blog posting from Bruce Schneier about the Section 702 reauthorization.
This blog post is called After Section 702 Reauthorization.
It was reauthorized.
Can you take us through some of the points that Bruce is making here and your thoughts as well?
Sure.
So he is sort of saying that this represents a bit of a loss for civil libertarians as it relates to electronic surveillance for national security purposes.
The FISA Amendments Act was originally enacted in 2008
with the support of then-Senator Obama.
We later found out through the Snowden disclosures in 2013
that it was being used to justify warrantless collection,
both through our Internet service providers
and a program called PRISM,
and from our Internet infrastructure,
our Internet backbone,
through what we call upstream collection. And one of the reasons it became so controversial program called PRISM and from our internet infrastructure, our internet backbone, through
what we call upstream collection. And one of the reasons it became so controversial is that even
though the program is intended to collect the communications of non-U.S. persons who are located
abroad, sometimes the communications of U.S. persons or even wholly between U.S. persons
can get enraptured as part of this collection. There's no judicial authorization required for this collection. And the information,
the communications goes into a giant government database that is available to almost all of our
intelligence agencies, meaning it's searchable. So if I were to talk to a potential terrorist
target overseas, even if that conversation was something that I wanted to keep private,
the government could collect that without any sort of judicial authorization,
without a warrant.
It would be searchable.
And if they found evidence of a crime in searching for that information,
they could use it to prosecute me.
After the Stone disclosures, and I think this blog post sort of gets at this point,
there was a thought that we might be at this new moment where there's political will to curb these excesses of electronic surveillance and have a moment where we restore our civil liberties.
The program was set to expire at the end of 2017. It was extended for a couple of weeks into January.
And in January, they passed a reauthorization bill that only made very, very minor changes to the law.
One of the changes is that you now do need a warrant to search the database of collective communications if you are only doing so for the purposes of a criminal prosecution.
Obviously, that's a giant loophole. Some of these intelligence agencies could certainly assert that they're only searching these databases for foreign intelligence
information. And if they just happen to come across evidence of a crime, there's nothing
stopping them from prosecuting. So it wasn't sort of the robust civil liberties protection
that those in favor of reforming Section 702 really desire, which is to have all searches of 702 data be subject to a warrant requirement.
So another thing that this blog post sort of gets at is, what do we do now?
And I think that's a very important question.
We've sort of tried the judicial route.
Some of the foremost protectors of civil liberties in our country,
the ACLU and the Electronic Frontier Foundation, have been filing lawsuits against this program
for years, and they've never been able, really, to get a case heard on the merits because,
as we've talked about before, it's very difficult to establish standing. It's very difficult for a
person to establish that he or she has been subject to that government surveillance because the information is classified.
And, you know, now this program has been reauthorized for six years.
Our political conscience has sort of moved on.
And, you know, I can understand why this blogger feels a little hopeless.
Frankly, I think it was a big setback for those who wanted wide-ranging and sweeping
reforms to the surveillance program. And from a law enforcement side, they make the case, I suppose,
that requiring oversight from judicial oversight slows them down and impedes their ability to do
their work in a timely manner. Absolutely. And they have some backing in our Fourth Amendment
jurisprudence.
There's been this long running doctrine that if law enforcement or intelligence agencies have some
sort of special need, apart from normal law enforcement's needs of, you know, nabbing the
criminals and putting them behind bars, then generally they do not need a warrant to conduct
that surveillance as long as the search is reasonable. And how we've come to define
reasonableness is balancing the security interests involved, so the government's interest in
collecting that information, against the potential invasion of privacy. And, you know, trying to look
at that objectively, we know that Section 702, at least according to some of our top intelligence
professionals, has proven to be quite effective in thwarting terrorist attacks and identifying targets.
But, you know, you balance that against what I think is a major inhibition on privacy and civil liberties.
The fact that there's this so-called backdoor search.
The government could incidentally collect the communication of a U.S. person without any
prior judicial authorization. And if there's some sort of evidence of a crime contained in that
information, they can make an arrest on what would otherwise be an unconstitutional illegal search.
So we balance those security interests against those privacy interests. I think there are
arguments to be made on both sides, but it's something that I think there are arguments to be made on both
sides, but it's something that I think I would like to see either really adjudicated in the
federal court or sort of played out in the public sphere. And I think this blogger and a lot of
others thought we were really going to get that debate in Congress when Section 8702 was up for
reauthorization at the end of 2017.
But there was such a logjam of legislation that needed to get passed
that I don't think Section 7-0-2 really got the time
for the sort of protracted, wide-ranging debate
about electronic surveillance that I think many of us wanted to see
on the House and Senate floor.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of Thank you. fault-deny approach can keep your company safe and compliant.
And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep
you informed. Listen for us on your Alexa smart speaker too. The CyberWire podcast is proudly
produced in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at
ai.domo.com. That's ai.domo.com.