CyberWire Daily - Infrastructure hacking. No Russo-American agreement in cyberspace. Android malware infestations. Misspelling as OPSEC
Episode Date: July 10, 2017In today's podcast we discuss some answers to two Russian claims. No, Russia and America won't be linking up in a cyber alliance. And no, no one at the G20 meetings actually bought the line about ele...ction hacking retailed there by President Putin and Foreign Minister Lavrov. NotPetya recovery continues. Android infestations in the wild. US power plants warned to be alert for cyberattack. Criminals compromise self-service food kiosks; others phish with official-looking Australian emails as bait. Ben Yelin from UMD CHHS reviews license plate reader laws. ISIS adopts misspelling as a form of OPSEC. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. And no, no one at the G20 meetings actually bought the line about election hacking retailed there by President Putin and Foreign Minister Lavrov.
NotPetya recovery continues.
U.S. power plants are warned to be on alert for cyber attack.
There are more android infestations in the wild.
Criminals compromise self-service food kiosks.
Others fish with official-looking Australian emails as bait.
And ISIS adopts misspelling as a form of OPSEC.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Monday, July 10th, 2017.
Those notes of Russo-American cooperation on cybersecurity, briefly tweeted this weekend from the G20 meetings,
had a short but colorful life, every bit as truncated as a 140-character text.
President Trump suggested that his discussions with President Putin might well result in the
formation of some joint U.S.-Russian unit to fight cybercrime, but these were quickly qualified as
aspirational diplomatic hopes for an indefinitely distant future.
The tweets in question came under immediate and very harsh Republican criticism,
so this thaw in the cyber-cold war between the two countries lasted a few apparent hours only.
U.S. officials were quick to dispute President Putin's and Foreign Minister Lavrov's contention
that everyone at the G20 meetings, the U.S. included,
had accepted Russia's protestations that it's been entirely innocent of election hacking and related influence operations.
That's not the case.
President Trump later said that he'd told President Putin to cut it out during their long meeting.
Secretary of State Tillerson called the two countries' disagreement over the issue intractable, and U.S. Ambassador to the U.N. Haley said that, of course, everyone knows the Russians
were trying to meddle with elections. So put any thoughts of close cooperation for cybersecurity
into the nice idea isn't going to happen category. Whatever Foreign Minister Lavrov might say,
the U.S. continues to hold Russia responsible for hacking and influence operations during 2016's elections.
In addition to lingering concern about election hacking, U.S.-Russian relations in cyberspace are particularly frayed by two recent incidents.
The first is the extent and expense of NotPetya infestations.
extent and expense of NotPetya infestations. By consensus, NotPetya is regarded as having begun as an attack on Ukrainian infrastructure, particularly financial services, but also
power distribution and other targets. As recovery proceeds, observers give authorities in the U.S.
and Europe generally high marks for their response, but warn it might be harder next time.
And the costs exacted by NotPetya remain
unknown, but it's thought they'll be high. The NotPetya attack is generally believed to have
been mounted by the Russian government. That's the official position of the government of Ukraine.
While they're certainly not disinterested parties, given the ongoing hybrid war with Russia,
a large number of outside observers tend to agree with Ukraine's government.
FireEye has commented that signs do point to Russia,
although they add the customary caution that all can generally be hoped for
and attribution is high confidence.
The preliminary attribution of NotPetya to Russian threat actors,
believed to be responsible for attacks on Ukraine's power grid,
gives added point to the FBI and DHS warnings about attempts to penetrate U.S. electrical power utilities.
These appear to have been probes that reached into business networks but not operating systems.
Authorities and utilities say there's no immediate danger to either public safety or power
distribution, but the involvement of at least one nuclear plant,
Wolf Creek in Kansas, has spooked the media.
The warnings were raised by the FBI
and the Department of Homeland Security.
The Department of Energy is providing security assistance
to threatened operators.
We heard from Paul Edon of Tripwire
about the security challenges this sort of incident poses.
He said, quote,
With most industrial control systems now connected to the Internet,
they have become vulnerable to targeted cyberattacks and cyberespionage campaigns.
However, because the systems were not designed with security in mind,
they are largely unequipped to deal with these attacks, end quote.
He strongly recommends that organizations review not only frameworks
like the NIST Guide to Industrial Control System Security,
but especially their own response and resiliency plans.
Andrea Carcano of Nozomi said that, quote,
the U.S. has to assume that all parts of critical infrastructure are being probed for vulnerabilities 24 by 7 from a risk management point of view, end quote.
The increased connection of formerly separated infrastructure elements should,
Carcano thinks, lead enterprises to take a serious look at real-time anomaly detection and machine learning.
Nozomi's Edgar Captivelli pointed out the persistence of phishing as a favored tactic
in gaining access to networks and systems.
He said, quote,
targeting engineers with phishing messages is
pretty straightforward and, if successful, could be extremely damaging, end quote. The days in
which one could be confident that air gapping offered protection are long gone. Copycat and
spy dealer malware are infesting the Android ecosystem, which it describes as an unusually
capable data stealer, thought to be able
in principle to root one out of every four Android devices. It's affecting mostly Android phone users
in China. The good news on SpyDealer is that it never seems to have made it into Google's Play
Store, being distributed instead packaged within third-party apps called Google Service or Google
Update. And there's more good news on this one, too.
Google Play Protect is said to be able to detect and remove infections.
The other malware, Copycat, is a lingering ad fraud vehicle
that Google has also mitigated with recent updates.
But according to Checkpoint, users in Southeast Asia
who haven't updated their phones remain vulnerable.
Several cybercrime campaigns are being reported.
In Australia, email inboxes are being flooded with phishing notes
that spoof communications from the Australian Securities and Investments Commission.
Businesses are being told their name is due for renewal
and are directed to a link where that name can be renewed.
Needless to say, the
link is malicious. Whether the intent is compromise, destruction, or data theft is so far unclear.
Avanti Markets, owner of food vending kiosks, disclosed that hackers might have compromised
not only customer paycard accounts, but even some of the physical biometrics associated with those
accounts. Plixers' Michael Patterson said that vulnerable vending machines are nothing new,
but the criminal's current focus on stealing personally identifiable information is, relatively speaking, a novelty.
In standards news, the World Wide Web Consortium, W3C,
announced it will promote the Encrypted Media Extensions, EME, as the standard for
digital streaming.
This decision is controversial.
Opponents say concerns about consumer protection weren't considered.
Finally, it seems that ISIS is turning to a new OPSEC tool, creative misspelling.
Security firm Cyberint has noticed the appearance of words like jahood for jihad.
The intent appears to be evasion of automated intelligence collection.
The civilized world may reasonably hope that such primitive codes will be readily broken.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations, Academy Award-nominated
Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son. And now, a message from the world. From Searchlight Pictures. Stream Nightbitch January 24 only on Disney+.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Ben Yellen. He's a senior law and policy analyst at the University
of Maryland Center for Health and Homeland Security. Ben, welcome back. We've got a couple
of interesting stories here, one from the Washington Post and one from Car and Driver, of all places, for cybersecurity.
And these are about privacy and these devices that law enforcement use to sort of vacuum up license plates as they drive around in their cars.
And there's some interesting legal fights having to do with these devices and people's rights to privacy.
Why don't we start with the one in California, which is about collecting data?
Sure. So there's this piece of legislation in California that actually failed this past week in subcommittee.
In California, it's completely legal to cover your car entirely.
Let's say you don't want your computer to get baked in the hot California sun.
You could put a cover on your entire car.
to get baked in the hot California sun, you could put a cover on your entire car.
However, it's somewhat interesting that it is not legal in California to obscure just your license plate.
And that's because law enforcement uses these license plate readers that they attach to
generally law enforcement vehicles.
They sort of look like glorified WALL-E robots, but far less cute and friendly.
robots, but far less cute and friendly. And not only does law enforcement take this information and use it, you know, to catch criminals, but it's also used by private entities.
It's used by debt collection agencies. It's used by for-profit private companies that can track
your, they can purchase some of the data from license plate readers and track your purchasing history.
So it presents major civil liberties issues.
You know, the interesting part of the California case is that it doesn't make much sense that
just your license plate is something that you're not able to cover when it is entirely
legal to cover the whole car.
So this committee vote in the California State Senate failed by just a single vote in the
Transportation and Housing Committee, and legislators think that once the issue is taken
up again in the near future, that they might reach a different result. And so meanwhile,
in Virginia, they're talking about how long can the state keep that data that they collect?
Right. So most states have some sort of system of laws that dictates one way or another how long law enforcement can keep the data collected from license plate readers.
Virginia is not one of those states.
They have other statutes that might apply.
There's one that talks about the government's ability to hold on to any records retrieved from law enforcement.
This case originated at the district court level.
It was brought by the ACLU on behalf of an individual.
The lower court held that a person
does not have reasonable expectation of privacy
in their license plate.
And this makes intuitive sense to us.
You go out with your car,
anybody can take a picture of your car,
private individual, government.
When we talk about the legal standard of a reasonable expectation of privacy, it makes intuitive sense that you forfeit that expectation once you put your car out on the street.
Now, it's very interesting that the Virginia Supreme Court has decided to hear that case because that suggests that they might see that it is a violation of the reasonable expectation of privacy.
You may be consenting to somebody taking a picture of your license plate once,
but are you consenting to everything that comes with license plate readings?
So, you know, a mosaic of your life, your trips to your therapist's office,
your political and religious associations.
So you're going to have to tackle those issues in the
context of the Fourth Amendment. And this is the first time that a case about license plate readers
has gotten to this level of state court anywhere. So it'll be very curious to see how that state
Supreme Court holds and whether the case makes it up to the U.S. Supreme Court.
All right. We'll keep an eye on it. Ben Yellen, as always, thanks for joining us. a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire. We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data
products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.