CyberWire Daily - Influence operations, and advice on recognizing them. Ransomware updates. US indicts Chinese nationals for industrial espionage. An object lesson from the US Geological Survey.
Episode Date: October 31, 2018In today's podcast, we hear about influence operations in social media (again): Americans remain more vulnerable (because they lack a cultural experience of state propaganda) than Eastern Europeans. R...ules of thumb for recognizing the good, the bad, and the bogus online. Kraken Cryptor is a black market leading ransomware strain. SamSam remains active. US indicts Chinese industrial spies. And what not to look at on your Government laptop. David Dufour from Webroot with thoughts on processor vulnerabilities. Guest is Maria Rerecich from Consumer Reports on their product testing processes, and how they’ve evolved to keep up with the times. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_31.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K. why Americans are more vulnerable than Eastern Europeans, rules of thumb for recognizing the good, the bad, and the bogus online,
Kraken Cryptor is a black market leading ransomware strain,
SamSam remains active,
the U.S. indicts Chinese industrial spies,
and what not to look at on your government laptop.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 31, 2018.
Influence operations of various kinds continue to romp through social media as social networking platforms grapple under election-driven security with the inherent difficulty of content moderation
and various other alternative forms of rumor control.
Bitdefender and other security companies have been tracking information operations
serving up fake news and other forms of propaganda.
The focus is naturally enough on next week's U.S. midterm elections,
but influence campaigns have been active in Brazil, the U.K., and elsewhere.
People remain fairly easy marks for stuff served up in the social media groups,
which seem to constitute a kind of untrustworthy circle of trust for users.
WhatsApp groups, in particular, are being mentioned in dispatches as fonts of misinformation.
The messaging platform is especially popular in Brazil, as BuzzFeed notes, and that countries'
recent elections have spawned a great deal of politically crafted misinformation.
Because WhatsApp is both encrypted and structured as a peer-to-peer network, it's difficult
to track which memes are going viral, but such monitoring, as has been possible, suggests
that the platform is just as rife with fantasy, misdirection, and misinformation as its Facebook parent.
Americans, too, are apparently suckers for Russian trolling.
The Daily Beast has swatted through Twitter's recent dump of Internet Research Agency tweets.
The Internet Research Agency is, of course, the Bear Sisters' big troll farm in St. Petersburg.
The Daily Beast concluded that the Americans tend to lap this stuff up.
The Internet Research Agency's English language service, if we may call it,
is assessed by the Daily Beast as being nine times more effective than its offerings in Slavic and Baltic languages.
This is measured by the engagement the English-language tweets attract
over here in the land of the free, and frankly, it's embarrassing.
In fairness, to those of us who live in the home of the brave,
people who lived in the old Soviet Union or the former Warsaw Pact
still have long, sad living experience with state propaganda of the Russian variety.
They expect it, and they've developed a kind of skeptical herd immunity
that's lacking in North America.
Security firm Proofpoint is offering a quick five-point guide
to critical consumption of online news, a short course in skepticism.
First, they say always look for a source.
If there's no source offered, that's a bad sign.
So is an urgent request for you to take action.
Second, look for bots and block them.
There are various tools available to spot some bots, at least.
But as a quick screen, be suspicious of a low number of Facebook friends,
recently created accounts, very few posts, no profile picture,
and a disproportionately high following-to-follower
ratio. Third, take a look on Facebook at the info and ads. This may contain some information on who
exactly is behind an ad you're seeing. Fourth, don't don't click on Twitter DM or Facebook
Messenger links. And fifth, use your quality Twitter filter, which you'll find in the setting
and privacy section. You can use this to mute notifications from accounts that exhibit some
of the characteristics of untrustworthy tweeters. Are these infallible? By no means. Assessing
whether content is true and whether a source is trustworthy is a problem epistemologists have
wrestled with since before Plato wrote the
Charmides. If it had been an easy solution, it would put a lot of journalists, lawyers,
polygraph specialists, and philosophy faculties out of business. But they do provide a certain
useful approach to filtering messages. And if they strike you as reminiscent of advice on social
engineering, that's no accident. Influence operations are, after of advice on social engineering. That's no accident.
Influence operations are, after all, just social engineering.
Consumer Reports is well known for their comparative testing of popular household devices,
everything from vacuum cleaners to hair dryers or microwave ovens.
These days, they're testing digital electronic devices as well.
Maria Raricich is Director of Electronics Testing at Consumer Reports. One of the things that we are working quite a lot on is trying to
understand how we should incorporate the smartness or the connectedness of these products and what
should we, what attributes should we test of these products. So we're very good at being able to test,
you know, what temperatures are in the refrigerator and how well does a lawnmower cut, but what should we look at?
How should we determine about the connectedness? But we also have this other layer, of course,
of data privacy and security. And that is something where we're looking, working very hard on how we
evaluate that in a way that we can put it into our ratings. Because
when we do testing, we do comparative testing. So we're not testing to a standard. We test to
our own test protocols that are always consistent and they're defined so that across a product
category, we test the products the same way. But we do things very deliberately.
We want to make sure we have a good test before we roll it into ratings.
Now, one of the projects that you're working on is called the Digital Standard.
Can you describe to us what is that about and what are you hoping to accomplish here?
Yeah, so what the Digital Standard is, is a list of criteria that we've put together to say, what should a product that is good,
you know, what is goodness in this connected world? And what should this product have in the
areas of data privacy and security to work well and to be good for the consumer and good for the
person who's getting this product. So we wanted to define what
principles needed to be there. And we basically had four themes. There's security, privacy,
governance, and ownership. So security is about how safe or resistant to attack is the product
from hackers. That would include topics related to encryption and security updates? Is it private? We have privacy. It deals
with permissions and data sharing and consumer control of their data. Can the consumers actually
control what data is collected and what happens to it after it's collected by these devices?
Governance is whether the company's policies are good for the consumer and how well do the
policies protect consumers' privacy and data and things of that
nature. And then ownership is the fourth theme in the digital standard that handles concepts such
as the right to repair or permanence of functionality. So those are the themes of
the digital standard. Then each of those themes have multiple criteria. So the criteria specify what a test should look for.
We decided that rather than expressing those criteria from a very technical standpoint,
we wanted to anchor them on consumer expectation. So technical criteria for an environment of the
room might be the temperature should be between 68 and 72 degrees Fahrenheit. It has such humidity.
You measure with sensors placed in locations.
But we wanted to make these statements of criteria consumer-friendly.
So in this example, the consumer expectation might be the room should be comfortable.
So in the digital standard, that expectation might be,
I should be able to know what data, what type of data this product is collecting about me.
We start that way because we want to make sure, we want to try to have these concepts of privacy and security
make sense to people and make them understand why they should A, care and why they should B,
perhaps select products based on how they handle the data privacy and security. We actually have it at thedigitalstandard.org.
The the is important in that URL. And we have links in it to a GitHub and we solicit any kind
of feedback into the GitHub. We look at that to try to improve what we're working on there.
We also encourage people and other organizations to use it and to test things with it and to exercise it
and make improvements in that way. Consumer Reports will use it and are using it for our
testing, but we may not use the entire set. It's something like over 40 criteria. It's meant to be
a very large umbrella of things that are good in a digital connected product world.
That's Maria Raricich from Consumer Reports.
Security companies Recorded Future and McAfee have released their studies of Kraken Cryptor
with particular attention devoted to how the ransomware is distributed through a black
market affiliate scheme.
The ransomware, which was first spotted this August, operates by using email to
interact with its victims, as opposed to deploying a noisy and readily taken down command and control
infrastructure. It's hired out by its masters to criminal clients. The crooks keep about 80%
of their take, with the other 20% going to the group whose frontman or marketing director
uses the nom to hack This Was Kraken.
They distribute the ransomware with, for the most part, the Fallout exploit kit.
Kraken Cryptor uses an online casino, Bitcoin Penguin, to launder the ransom payments they receive.
Those payments are delivered in the form of, wait for it, Bitcoin.
From looking at the countries excluded from attack by Kraken
Cryptor, Recorded Future concludes that the gang operates from Iran, Brazil, or former
Soviet republics, or perhaps from some combination of these.
Another strain of ransomware, SamSam, which crippled Atlanta earlier this year, is being
tracked by security firm Symantec, which concludes that
SamSam is being used mostly against U.S. targets. The central lesson of ransomware protection
remains that an enterprise should regularly and securely back up its files.
The U.S. Department of Justice yesterday released an unsealed grand jury indictment
of 10 Chinese nationals, at least two of them serving intelligence officers,
charging them with industrial espionage against at least 13 U.S. companies in the aerospace sector.
The activities revealed in the indictment, Wired observes,
shows the Ministry of State Security's adherence to classic forms of agent recruiting and handling.
This proceeds by spotting potential agents,
assessing their value,
developing them by accustoming the recruit
to performing small, trivial,
apparently innocent favors for the recruiter,
then recruiting them,
and finally handling them as they deliver information
and receive whatever compensation
the intelligence service has seen fit to provide.
Finally, the U.S. Geological Survey's inspector general
found the source of a major malware infestation
that propagated across the Interior Department agency.
An employee used his government device
to surf through some 9,000 pages of adult content.
One could see maybe a slip-up here or there,
perhaps a baker's dozen of moments of
weakness, but 9,000. Wow, that's a lot. Oh, and those adult sites were, again, wait for it,
mostly Russian. Surprised? No, we weren't either. Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge
of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving customer
challenges faster with agents, winning with purpose, and showing the world what AI was meant Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And joining me once again is David DeFore.
He's the vice president of engineering and cybersecurity at WebRoot.
David, this year we have seen a parade of vulnerabilities revealed about processors, hardware issues.
Take us through why now and what does it mean for us?
Well, I think initially it was kind of a new
area that no one had looked at because you're right, we have seen a parade starting out with
the Intel based problems earlier this year with Spectre and Meltdown. And then it's kind of moved,
people have started looking at other chips, you know, AMD, things like that. And I think the basic
reason we're seeing it is someone found an
area to start exploring and a bunch of folks with knowledge in those fields started saying, well,
heck, I know about these kind of chips. Let me see what's going on with the ones I work with.
And so there's just been a lot of digging in that area now and it's kind of taken on a life of its
own. So where does that leave us, though? I mean, are we going to see these speculative processing capabilities dialed back as new hardware is released?
I think that's a great question. I think you're going to see the manufacturers spend some serious
effort in tightening this up. It's akin to Windows in the 90s and early 2000s, where
the important thing was making things interoperable. But then all of a sudden,
everybody realized, oh, my gosh, that made it insecure. I think you saw a lot of that in the
hardware side because there wasn't a lot of hardware hacking going on and things of that
nature. But I think they'll spend a lot of time and energy now and reevaluate what they're doing.
But I think they'll spend a lot of time and energy now and reevaluate what they're doing.
I firmly believe you won't see a regression in what the chips can do and how they interoperate at that lower level.
You'll just see improvements of the security built into them.
So let's just say, though, Dave, you're sitting around your house wondering, is this something I need to worry about?
You know, there's a couple of reverse engineers I have here at the office and we like to sit around and when some new type of threat comes out, we noodle on, hey, how could we make some money with this threat if we were out in the
wild and we weren't afraid to go into prison? And so what we do is kind of ideate on some business
models nefarious actors would take. And we got to say on this on
this chip thing, it is important that if you're a large enterprise or you're, you know, maybe even
a government entity or a contractor for a government entity, you want to probably be
paying attention to this, because if nation states or or large other large, you know, competitive
actors may have an interest in you,
this is something they may want to do to get into your environment.
But I got to tell you, David, it's really hard stuff.
This isn't like downloading some malware, taking advantage of a flash exploit,
and boom, I own your machine.
It's a little bit more work than that, and by a little, I mean considerably.
And so for your listeners,
you know, my home computer, I'm not too worried about it. But for those, you know, the percentage
of your folks who do have to support large enterprises, they might want to just take the
time to inventory what they've got in-house and maybe what steps they should take to prevent or
block these types of threats from exposing themselves. Now, the cloud providers, they've been on top of this in terms of applying the patches and so forth, right?
That is true.
When it first came out, everybody was kind of worried, well, if I'm hosting something in the cloud,
and can I get to the operating system through my hypervisor and get to the chip?
And there was concerns around that. But they have been on top of it. And I say that not because Amazon or Google or Microsoft call me up and
they're like, Dave, we're on top of this. I'm more saying it from the perspective of
we haven't seen any big outbreaks. So I really think they took this seriously because they did
say they were. And we haven't seen any major issues around it. All right. Well, obviously, it'll be interesting to
see what comes the rest of the year and moving forward. David DeFore, thanks for joining us.
Hey, great being here, David.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today
to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.