CyberWire Daily - Influence ops, third-party apps with an appetite for permissions, and criminal competition. Google purges malicious apps from the Play Store. Advice for whistleblowers. Farewell to Becky Bace.
Episode Date: March 15, 2017In today's podcast, we look as influence operations in the UK and in Europe: the former emanate from Russia, the latter from Turkey. Third-party social media apps increase your attack surface. Petya r...ansomware is stolen and improved by rival crooks. Google purges bad apps from the Play Store. Patch Tuesday notes. A convicted leaker offers some unexpected wisdom for prospective whistleblowers. Lawyers can't figure out the GDPR. US said ready to indict four for the Yahoo! breaches. Emily Wilson from Terbium Labs discusses the effects of high profile breaches on Dark Web markets. Justin Harvey from Accenture Security wonder if private sector attribution is dead. And we bid a respectful farewell to Becky Bace, one of our industry's thought leaders. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Influence operations reported in the UK and in Europe.
Third-party social media apps increase your attack surface.
Petya ransomware is stolen and improved by rival crooks.
Google purges bad apps from the Play Store.
A convicted leaker offers some unexpected wisdom for prospective whistleblowers.
Lawyers can't figure out the GDPR.
The U.S. is said to be ready to indict four for the Yahoo breaches.
And we bid a respectful farewell to Becky Bass, one of our industry's thought leaders.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, March 15, 2017.
The UK continues to worry about Russian influence operations targeting upcoming elections. In an odd, possibly related
development, Russia's embassy to the UK is said to have been converting its Twitter followers into
newsbots ready to disseminate the Moscow line. But the big Twitter story this week has been the use
of a common third-party app to hijack some high-profile Twitter accounts to spread a variety
of messages running to Nazi symbolism and especially pro-Turkish messages
in support of the Erdogan government and in opposition to several European states,
notably the Netherlands and Germany.
The enabling vulnerability the hijackers exploited was in the third-party Twitter Counter app.
As its name suggests, Twitter Counter is used for keeping track of a Twitter
account's followers, but it did so at the cost of some pretty extensive permissions. Twitter
Counter requested both read and write access to your account in order to tote up your followers.
Why it asked for write access is unclear, but one of its victims, security expert Graham Cluley,
speculates that the app's intent was to facilitate some self-promotion.
In any case, Twitter counter has blocked its own ability to write, which the company believes
should take care of the issue. The campaign was crude and implausible, but probably had some
effect. Many of the tweets featured a swastika with the words Nazi Holland or Nazi Germany,
as appropriate, usually displayed alongside a Turkish flag.
It's unlikely, to say the least, that Amnesty International would be tweeting swastikas.
Did we mention that the effort was crude?
The campaign's intent appears to be the discrediting of EU states' preparations to tighten restrictions
on guest workers and other immigrants, and to support demonstrations by Turks resident
in those countries.
We heard from several security companies about this third-party Twitter hack.
It's worth looking to the security of your social media accounts.
RJ Gezeric of privileged account management shop Thycotic thinks we'll see more hijacking
like this.
Social media accounts provide a high-profile way of getting a message out, and as cyber
operations increasingly serve influence operations,
attackers will devote more attention to account hijacking.
Nathan Wensler of Aztec noted that the incident shows a typical attack sequence.
Start with a vulnerable app, then pivot into your ultimate objective.
He advises reviewing the applications you've connected to your Twitter account
and removing anything you don't use, and especially anything you don't trust.
And of course, keep an eye on your Twitter timeline to see what's showing up there.
The messaging was generally aligned with Turkish government policy,
but whether it was a state-directed attack, a state-inspired attack, or patriotic hacktivism isn't immediately clear.
There's also news from the criminal world, courtesy of researchers at Kaspersky Lab.
The code for Petya ransomware, a strain of malicious code that's long been familiar,
has been stolen and improved by a rival gang.
The new variant is circulating as a trojan called PyotrWrap,
which installs Petya on machines in enterprise networks
and then modifies the malware on the fly to suit its purposes.
The emergence of PyotrWrap is being taken as a sign of increasing competition among criminal gangs.
Signatures for the new ransomware are being developed,
but as Matt Kingswood of the managed service provider IT Specialists told us,
there's no fail-safe way of recognizing and preventing ransomware.
Your best bet is regular, secure backup.
ESET found some 13 malicious Android apps designed to steal user credentials and pay card information.
They notified Google, which has purged the bad apps from the walled garden of the Play Store.
Yesterday was Patch Tuesday. Microsoft issued 18 bulletins, 9 critical.
It also has continued to issue its patches in their old familiar form.
Redmond evidently will delay the promised new style of patching for at least another month.
Adobe has also fixed 7 issues in its Flash player.
When a private company discovers they've been hit by a cyber attack,
there's often an understandable desire to publicly name the attacker.
That's known as private sector attribution.
Justin Harvey is managing director of incident response and threat hunting at Accenture Security, and he wonders if it's time to stop bothering with private sector attribution. It's really difficult when you are working these investigations to have empirical evidence or have forensically sound evidence that someone has done something to you.
There's the Internet saying, on the Internet, no one knows you're a dog.
And in this case, for attribution, there's no way to empirically or forensically prove you're a dog or not.
or forensically prove you're a dog or not, meaning a company thinks that a nation state or a criminal entity has attacked them based upon the malware, based upon their tactics,
based upon what they were looking for or the searches. But you have to remember,
all of those can be imitated. Most digital information can be reproduced in such a way
that it could appear that it is that adversary, but it's actually another adversary masquerading as that entity or party.
What about the notion that there's something to be gained by naming and shaming?
That hasn't worked to date.
I mean, we've seen that with President Obama naming and shaming and indicting Chinese PLA officers.
We've seen President Obama publicly accuse certain nation states of cyber espionage,
but nothing really moved the needle on that until he confronted President Xi Jinping in person about
it in September two years ago. Because there's been so much talk about attribution, and I'd like
to point to some of the cases last year around the election,
where you have a case where there are the yes-sayers, or you have the accusers,
and then you have the naysayers. And the naysayers, whether they were right or wrong,
brought up very interesting scenarios around false flag operations, essentially masquerading
your operations to lay the blame on someone else.
And because there's been so much awareness around this, I think that nation states and adversaries out there are going to take advantage of this. And you're going to find false flag operations to be
the norm. Because as an adversary, why would you create malware and compile it in your own time zone and have your own natural language?
It's very easy to compile it in a different time zone and insert some Cyrillic or Chinese characters and then voila.
Now you're this other adversary.
And with the proliferation of malware as a service and malware toolkits you can buy off the web, you can take that one step further.
or toolkits you can buy off the web, you can take that one step further.
So I would look to that to be one of the signs of essentially the cyber landscape or the cyber field of battle is changing with the sign of the times.
That's Justin Harvey from Accenture Security.
In the UK, attorneys aren't sure whether the GDPR is legally binding already
in advance of its formal implementation
next year. In a breaking story, the U.S. Justice Department is said to be preparing indictments of
four individuals in connection with the Yahoo breaches, especially the loss of data for 500
million accounts in 2014. One of the hackers is said to be resident in Canada, the other three
are thought to be in Russia. And in even more recently breaking news,
Russian authorities are said to have charged at least one of the three who are in that country with treason.
They say he was spying for the Americans.
The Vault 7 story is still developing, but there's little new today.
Wired does have an interview on leaks, however, with former CIA whistleblower and convicted leaker John Kirikou about whistleblowing.
His surprising advice to prospective leakers?
Don't go directly to the media.
Take the matter up with your chain of command first, then lawyer up.
And finally, we close on a sad note.
Our friend Becky Base passed away yesterday.
We offer our condolences to her family.
Becky was not only a researcher of distinction, but a friend and mentor to many information security professionals.
She'll be missed. We've lost a founding figure.
Thank you. with purpose and showing the world what AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time
visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look
at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel,
Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And I'm pleased to be joined once again by Emily Wilson.
She's the director of analysis for Terbium Labs.
Emily, we had the recent cloud bleed breach, which certainly gathered a lot of attention in the press and elsewhere. This sort of thing causes a bunch of activity on the dark web when these sorts of
things happen. Yeah, I think plenty of people are quick to piggyback on whatever the latest thing in
the headlines is, right? You know, whether it was something like the LinkedIn breach or, you know,
now we're seeing with Cloudbleed, I know of vendors claiming to have something like 150 million credentials
for these sites that are impacted by Cloudbleed.
But conveniently, somehow, in that set of credentials
are sites that weren't impacted at all, like Netflix.
So they're using the notoriety of the breach to sell unrelated goods.
I think one of the things to keep in mind is that people who are
looking for the latest set of whatever credentials are going to be looking for the same key terms
that we would think of in terms of what's new, right? Like what's out there. And people are
curious what other vendors have for sale. And some of the credentials that have shown up in
this particular breach have already been available, have already been for sale. Sure. I mean, I think
we're all waiting to see just how big of an impact this breach is going to have in terms of
credentials and kind of what gets leaked. But yeah, definitely some of the names that are in
this breach, I mean, you know, not these credentials if these credentials are available, but
definitely these companies have had issues in the past and there are plenty of
credentials for sale. And now we're hearing a new interest because this breach is new and people suddenly care about it,
but it didn't seem to be all that interesting to people before with these listings that have been up for months or years in some cases.
All right, so even on the dark web, buyer beware.
Yeah, no, if it sounds too good to be true, it probably is.
All right, Emily Wilson, thanks for joining us.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. executives, and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.