CyberWire Daily - Looks like Comment Crew, but probably isn't. Facebook breached by spammers. Twitter's big troll trove. Router issues. Who dunnit to YouTube?
Episode Date: October 18, 2018In today's podcast, we hear that a campaign reuses some of the old Comment Crew code, but McAfee researchers think it's not the same old Crew. Facebook thinks its big breach was the work of spammers..., not spies. Twitter releases a trove of trolling and invites researchers to take a look. Researchers disclose flaws in D-Link and Linksys routers. Ghost Squad says that they downed YouTube the other day, but who knows? And if YouTube goes down, please don't call 911.  Dr. Charles Clancy from VA Tech’s Hume Center on cognitive electronic warfare. Guest is Mike Janke from DataTribe on Maryland’s aspirations to be the nation’s hub of cyber operations. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/October/CyberWire_2018_10_18.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A campaign reuses some of the old comment crew code,
but McAfee researchers think it's not the same old crew.
Facebook thinks its big breach was
the work of spammers, not spies. Twitter releases a trove of trolling and invites researchers to
take a look. Researchers disclose flaws in D-Link and Linksys routers. Ghost Squad says that they
downed YouTube the other day, but who knows. And if YouTube does go down, please don't call 911.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, October 18, 2018.
Researchers at McAfee Advanced Threat Research report finding a hitherto unremarked data reconnaissance implant that's targeting Korean speakers. They're calling it Ocean Salt, an homage to the earlier Sea Salt
implant that the old Chinese comment crew used back in 2010. Indeed, Ocean Salt reuses code from
Sea Salt. The very prolific and busy comment crew, also known as APT1, is thought to have gone dormant since its exposure in 2013, but it would now seem to be back.
Only it doesn't seem to McAfee that this is in fact the familiar comment crew.
There's code similarity, but on other grounds, the researchers conclude that this is a different actor.
McAfee's report posits three possibilities,
and they're commendably reticent about jumping to an attribution.
Here are the possible scenarios they think most likely.
First, it might be a code-sharing arrangement
between what's left of comment crew and some other threat actor.
Or it could be the case that a different group has gotten the sea salt source code
from someone who'd worked in the old comment crew. Or finally, it could be the case that a different group has gotten the sea salt source code from someone who'd worked in the old comment crew.
Or finally, it could be a false flag operation, with some unknown threat actor seeking to make it appear that China and North Korea were colluding in this campaign.
The researchers do say that whoever wrote the code had at least a good working knowledge of the Korean language.
at least a good working knowledge of the Korean language.
Operations are thought to be closely targeted,
with implants distributed via two compromised sites based in South Korea and to be prospecting targets in Canada and the U.S.,
as well as in the Republic of Korea.
The campaign infected its targets through spearfishing,
the fish bait in most cases being malicious Excel files.
It proceeded in five waves.
The first wave targeted South Korean universities, the second, South Korean public infrastructure,
and the third wave, the Inter-Korean Cooperation Fund.
The fourth wave hit targets outside North Korea, mostly in the U.S. and Canada.
And a fifth wave prospected American and South Korean organizations.
The story is developing. In the meantime, see McAfee's report for details on what to look for.
Many U.S. states aspire to become the Silicon Valley of cyber, and several of them have thriving startup communities.
To mention just a few, there are thriving companies along Colorado's front range. In San Antonio,
Texas, Huntsville, Alabama, Atlanta, Georgia, New York, New York, and Boston, Massachusetts.
What they tend to have in common are alpha customers, university researchers, or venture
capital. Sometimes they have all three. We're biased, however, in favor of Baltimore, and we
think the Chesapeake already is the Silicon Valley of cyber.
It has all three of these ingredients, including the biggest alpha customer of them all,
right next door to us at Fort Meade. And in the spirit of full disclosure, we're one of the hundreds of companies in Maryland's cyber sector, which also spills over into Virginia and even the
District of Columbia. We produced this show from the studios at DataTribe, and we're pleased to
acknowledge DataTribe as an investor. And today we speak with DataTribe's Mike Janke, who's working
to bring some of the startups who've cut their teeth on government work into the commercial space
at Port Covington in Baltimore. It's an opportunity where you coalesce the largest concentration of commercial cybersecurity companies.
I liken it to this, Dave.
Texas is where you drill to get oil.
You don't go to Iowa to drill oil to try to compete with Texas.
Why? Iowa doesn't have the oil.
It's much like Maryland would not have much of a chance
if it tried to become the financial epicenter of the world.
That's New York City.
Maryland has the largest body of cyber and cyber-trained experts in the world by far.
You have the NSA, Cybercom, DISA, and 30 other classified federal organizations on cyber.
New York doesn't have that.
Texas doesn't have that.
California doesn't have that.
So much like the oils in Texas, all the talent is here.
And is that talent a result of the proximity to government?
Is it universities?
Is it research and development?
What caused that natural resource, if you will, to spring up here and not somewhere else?
It's because of all of those, Dave. You have obviously the classified agencies that have hundreds of billions of dollars of funding, NSA, CyberCom, DISA, Applied Physics Lab, so on and so forth. But Maryland, for the first time, passed California in 2017 for graduating the most computer science, cyber engineer-related graduates in the country.
And what you have now is you have this massive nation state trained cyber computer science force that's fighting the Russians, the Chinese, the Iranians from the offensive side. You have the largest university system graduating computer and cyber engineers.
And now you begin to build this commercial ecosystem.
And now you begin to build this commercial ecosystem.
This is why we're building Cyber Town USA right outside of Baltimore and Port Covington. So in an interconnected world where we can be connected to anyone anywhere in the world with our mobile devices, with our computers, why is proximity important?
Why putting everyone together in one place at a place like Port Covington?
What are the advantages to that? That's a great question. proximity important? Why putting everyone together in one place at a place like Port Covington? What
are the advantages to that? That's a great question. In this area, the average age of, let's say,
an experienced seven-year cybersecurity expert coming out of the NSA or Cybercom is about 31.
is about 31, right?
In Silicon Valley, it's about 23.
So they may have a husband, kids, a wife, a home.
And so it's very, very hard for them to uproot and move to, you know, take the train to New York
or California.
The other part of that is right now in Maryland,
there are over 260 cybersecurity firms and startups, but they're spread all over.
So Port Covington is very unique.
It is about 230 acres on the water, raw, where Under Armour put its headquarters.
raw where under armor put its headquarters the other part of it that is unique that's never found anywhere in the world it is the only place the only small city if you will that has its own
hardened fiber optic cable that they control it's not controlled by city, state, or county. So all those components aligning where on day one, as the buildings are going up, there
will be between 30 and 40 commercial cybersecurity firms moved in.
So Maryland and Baltimore itself have given the largest tax incentive fund in the country at 600 and something million dollars for
this area. Then you couple in the secure, hardened infrastructure from day one. So in the world of
cybersecurity, there really is a war going on to actually be the flag in the ground that says,
going on to actually be the flag in the ground that says this is the cyber commercial, cyber hub of the world.
But again, you don't drill for oil in Iowa.
And that's the advantage of Maryland.
And I'm a transplant.
But the reason I'm here is as an investor and startup builder, this is where the talent is.
That's Mike Janke from DataTribe. Facebook has concluded that the breach it recently sustained
was the work of criminal spammers and not a nation-state's intelligence service.
The spammers appear to have been interested in using the data stolen from 30 million individuals
to increase their revenue from bogus advertising.
And, of course, the data lost in the Facebook breach
can certainly be used to craft more convincing social engineering attacks.
Be on the key vive when you answer the phone or look at your email.
Twitter has released a trove of Russian tweets issued at the time of the UK's Brexit vote.
The sock puppets were for it, which will probably come as no surprise, since sock puppets tend to think political change is in itself a good thing.
The surge in pro-Brexit tweets occurred on June 23, 2016, the day of the Brexit vote.
The troll farmers had as many as 3,800 bogus Twitter accounts,
and they tweeted out some 1,100 posts with the hashtag ReasonsToLeaveEU.
What effect the tweets had on the voting is of course unclear.
Twitter's release includes more than just pro-Brexit trolling.
The company has also released inauthentic Twitter activity targeting U.S. voting, Russian domestic issues, and so on.
The hope, Twitter CEO Dorsey says, is that researchers will find the material useful.
Dorsey says, is that researchers will find the material useful.
Iranian operators have been using fake social media persona in relatively ineffectual attempts at influencing U.S. elections. The Atlantic Council's Digital Forensic Research Lab
notes that the Iranian effort was much smaller than the information operations mounted from
Russia. One difference between the two approaches seems to have been
that the Iranian operators were more focused on achieving specific shifts in public opinion.
The Russian approach was opportunistic, which in this case paradoxically means it was more
sophisticated. Their goal seems to have been simple disruption, an increase in their adversaries'
friction. It's easier to throw sand in the gears than it is to direct an engine.
Researchers at Poland's Celesian University of Technology
have found remote code execution vulnerabilities in D-Link routers.
Security Week's report says no fixes appear to be available.
And a different set of routers have also been discovered to be vulnerable.
Cisco Talos researchers have found flaws in Linksys E-series routers, but in this case there are patches available.
NBC News sends GCHQ's National Cybersecurity Center a mash note, saying the U.S. has nothing like it and should copy it.
nothing like it and should copy it. We're fans of the NCSC, but perhaps NBC is overlooking the Department of Homeland Security's National Protection and Programs Directorate. NPPD
fills a similar role. Not identical, but similar, and it's being tested during the current midterm
election season. And finally, from our slacker desk comes this particular nugget.
Make of it what you will.
If you were among the many disappointed idlers who found they couldn't watch PewDiePie on YouTube for about an hour Tuesday,
well, maybe there's an explanation.
The skids at Ghost Squad are twittering that they're the ones who took down YouTube.
That's Ghost Squad the hacker losers, not Ghost Squad the the first-person shooter, or Ghost Squad, the online TV show.
Our slacker desk hastens to clarify a confusion we didn't have the heart to tell them we never really suffered.
The report comes from The Sun, which says the tweet said, quote,
YouTube downed by Ghost Squad hackers, end quote.
And it even came with four hashtags.
GSH, Ghost Squad hackers, YouTube Down, and Downed by GCH.
So there you go.
But YouTube's now been up for some time, whether the outage was a hack or a glitch.
Our favorite reaction to the incident came from the Philadelphia Police Department, which tweeted,
Yes, our YouTube is down too. No, please don't call 911.
We can't fix it.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Thank you. executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Dr. Charles Clancy. He's the executive director of the Hume Center
for National Security and Technology at Virginia Tech. Dr. Clancy, welcome back. We had an
interesting article come by. This was from Avionics Today.
And the article was discussing cognitive electronic warfare.
It was titled Radio Frequency Spectrum Meets Machine Learning.
This is something that is up your alley.
Can you describe to us what's going on here?
So over the last 10 years, we've seen a shift in the cognitive radio ecosystem.
So if you're familiar with cognitive
radio, it's this idea that we can put artificial intelligence behind a software-defined radio,
and that artificial intelligence can better control the radio, make it work better in the
environment, particularly in the face of interference or jammers or noise. You can
look at the flip side of that and say, well, what if we put artificial intelligence behind a jammer? How might it be able to
outwit the cognition that sits behind the
cognitive radio? So over the last 10 years, we've had three different communities
develop. You have the cognitive radio community that's trying to build
the wireless devices that can
outwit things in their RF environment.
We've also seen the cognitive radar community come into existence
with radar systems that are increasingly sophisticated and intelligent
and able to work around different sources of interference or jamming in the environment.
And then cognitive jammers that are trying to outwit the AI that's in the adversary systems.
This is sort of leading to this interesting AI arms race in the electromagnetic battle space
where you've got jammers and radars and communication systems
all sort of trying to get into each other's head and figure out what the other one's going to do next.
Does any of them have any sort of lead over the others?
Well, first, just because of the RF environment, it's a really, really hard problem.
You can imagine there's noise, there's distortion, there's multipath.
There's all kinds of effects in the RF environment that make it difficult to know exactly what the other person's doing.
It's like, I don't know, trying to play chess against someone, but you're not able to directly observe the chessboard.
You can only sometimes see a blurry version of the chessboard, and you have to try and infer what their strategy is.
So it makes it really interesting.
Of course, from a university perspective, it's a really interesting research problem of how much information can you actually glean about an adversary through noisy observations through the RF environment.
But then there's a lot of real practical applications within a lot of these military systems.
Now, are these the sorts of things that we could find eventually trickling down to consumer devices? Certainly the cognitive radio technology
we've seen for the past 20 years,
really beginning to increasingly influence
Wi-Fi and cellular technologies.
As far as the jammers,
of course, it's still illegal to operate
a jammer in the United States
under the Communications Act of 1934.
So hopefully not.
Yeah.
All right.
Well, it's interesting stuff as always.
Dr. Charles Clancy, thanks for joining us.
Thanks a lot.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.