CyberWire Daily - "Mia Ash" is an Iranian catphish. WikiLeaks dumps UMBRAGE from Vault7. Germany braces for hacking by Russia, China, and Iran. Google kicks unwelcome intercept tool Lipizzan out of the PlayStore. WhatsApp scammers phish for banking credentials. Anti-drone
Episode Date: July 27, 2017In today's podcast we hear there's a new catphish out in the wild: meet Mia Ash. WikiLeaks throws shade by dumping UMBRAGE from Vault7. Germany braces for hacking by Russia, China, and Iran—especi...ally by Russia. Google kicks unwelcome intercept tool Lipizzan out of the PlayStore. WhatsApp scammers phish for banking credentials. Business disruption kills small businesses in ransomware attacks, not the ransom itself. Facebook makes a plea for culture change. Ben Yelin from UMD CHHS on allegations the FBI was paying the Geek Squad to ferret out illegal content on computers brought in for service. Neill Feather from SiteLock dispells the notion that small businesses can rely on security by obscurity. And there are enough anti-drone products out there to make Wyle E. Coyote max out his Acme loyalty card. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
There's a new catfish in the wild.
WikiLeaks throws shade by dumping Umbridge from Vault 7.
Germany braces for hacking from Russia, China, and Iran,
especially from Russia,
Google kicks an unwelcome intercept tool out of the Play Store,
WhatsApp scammers fish for banking credentials,
business disruption kills small businesses in ransomware attacks,
Facebook makes a plea for culture change,
and there are enough anti-drone products out there
to make Wile E. Coyote max out his Acme loyalty card.
I'm Dave Bittner in Baltimore with your Cyber Wire summary for Thursday, July 27, 2017.
Remember catfishing? Remember Robin Sage, the security expert who never was,
but who nonetheless attracted friends and job offers from within the U.S. Defense Department and the industry that surrounds it. She was a demonstration catfish,
but now she has some counterparts in the wild. Dell SecureWorks Counter Threat Unit presented their findings on one Mia Ash, a 20-something fictitious persona who purports to be a
photographer based in London. She's also supposed to be an amateur
model who's into social media and tech-savvy guys with ties to the oil and gas industry,
as ThreatPost puts it. Mia is an elaborately curated catfish run by the threat group
Cobalt Gypsy, aka Oil Rig, TG-2889, or Twisted Kitten. Cobalt Gypsy is thought to be operating on behalf of the Iranian government.
Its targets are governments, telecommunications infrastructure,
defense companies, oil companies, and financial service outfits in the Middle East and North Africa.
Mia Ash is being used to troll for connections in the oil and gas industries.
The operation's goal is to infect the marks with puppy rat malware in a cyber espionage play.
So if you're bored out there on your production platform,
sorry to rain on your parade, petroleum engineers,
but Mia's not really interested in you because, well, there's no Mia.
WikiLeaks has dropped more documents from its Vault 7.
This week, it's the Umbridge Component Library, UCL,
a collection of publicly available exploits scouted,
WikiLeaks says, by Raytheon under a CIA contract
between November 2014 and September 2015.
The tools described in the UCL include
Embassy Panda's Keylogging Rat,
the Samurai Panda version of the NF Log Rat,
Surveillance Malware
Reagan, Command and Control Arranger Hammer Toss, and the information-stealing Trojan
Gamker.
These are for the most part thought to be state tools.
The Pandas are believed to belong to China, and Hammer Toss is thought to be Russian.
But WikiLeaks offers a sinister, if not fully convincing, spin. Why would the agency be interested if not to repurpose these tools for its own attacks?
We can imagine a few reasons.
Security, counterintelligence, threat profiling, situational awareness all come to mind.
But WikiLeaks is not in the business of looking on the sunny side of Langley.
German elections are scheduled for September,
and that country's authorities are
determined to conduct them without interference, especially Russia's interference. German officials
warn that Russia is interested in elections, China is interested in intellectual property,
and Iran is interested in many things. The German government has established a command center and
beefed up security capabilities to deal with an elevated level of threat expected to continue to rise at least through September's elections.
Google has discovered and blocked a new strain of Android malware, Lipidzon, a very highly
targeted surveillance tool believed to have been produced by the Israeli firm Equus Technologies.
The discovery came during an investigation into Criseor,
spyware attributed to another Israeli lawful intercept shop, NSO Group. Lipitzan has been
expelled from the Play Store and is remediated by Google Protect.
Phishing continues to plague internet users. There's a WhatsApp scam running in which hoods
send an official-looking email telling The mark that their trial of WhatsApp is almost over and they need to pay if they want continued
service.
Needless to say, the mark is directed to a plausible-looking portal where they're asked
to enter banking information.
Ransomware is found to kill small businesses through disruption, not extortion payments.
It's the inability to do business at all that proves lethal,
not losses connected to paying off the criminals.
You've probably heard the term security by obscurity,
counting on the fact that you're too small or uninteresting
for the bad guys or gals to bother with you.
Neil Feather is president of website security company SightLock,
and he says relying on security by obscurity is asking for
trouble. More than 80% of attacks are targeted at businesses with fewer than 100 employees.
A lot of the attacks that get the major kind of publicity tend to be against large organizations,
you know, think Sony, Target, Home Depot, those kinds of things. But what folks don't realize
is that even the smallest business has data, website traffic, and other kind of resources that are of value to cyber criminals.
And so they really view small businesses at times as the low-hanging fruit that they're able to take advantage of out there on the Internet.
Let's explore that some. What kinds of stuff would they be after from a small business?
Let's explore that some. What kinds of stuff would they be after from a small business?
You know, they tend to be after anything from traffic, like website traffic.
So, you know, even if you have a small business website, you have visitors that are coming to your site.
And if a hacker is able to, you know, take those visitors and redirect them to a malicious location or some other kind of site, a phishing site, for example, where they're able to get user credentials, usernames, and passwords.
They can use that information for subsequent attacks against those visitors.
Beyond that, every website also has a certain value for search engine optimization,
and a lot of quote-unquote gray hat search engine optimization
is hacking links to third-party websites into otherwise legitimate websites to help boost the
SEO of the third-party website and hackers are getting paid to insert links into other people's
sites. So those are just a couple of the things that every website has access to that hackers
would be interested in for financial gain. And you all make the point that quite often, even folks who've had
their websites hacked may not even know it. Yeah, exactly. So one of the things that we
notice is a lot of times website owners will come to us only after they've been told by
a visitor or a search engine or an antivirus provider that something happened with their
website. What is unfortunate about that is, you know, there's been some damage done there,
both to their reputation and to the website. So, you know, one thing that criminals have
gotten really good at is hiding the fact that they've hacked their website. So, you know,
they really don't want to be caught, right? So the longer they're able to continue to siphon
off traffic, siphon off data, that means the more money they're able to continue to siphon off traffic,
siphon off data, that means the more money they're going to make. So they do a good job of hiding themselves from the website owner, either through disguising their code or, you know,
making sure that they only show the malicious information one time to each user or other
techniques that really help them, you know, kind of live in the shadows of your website.
And, you know, you really need to work with experts to make sure that you're applying the
right type of product to the right type of, you know, infrastructure asset that you have. So if
you have a website, you really want website security. Whereas if you're trying to protect a
PC or an endpoint, you know, you really want something that's tailor-made for that. So
it's really important for, you know, small businesses to be working with experts
in the various different security fields.
That's Neil Feather from SightLock.
A presentation at Black Hat by two researchers, one from ZeroFox, the other from RIT,
suggests that academic training for cybersecurity is misaligned with the job market
because it's misaligned with the realities in the wild. Thus, they conclude, traditional academic programs and certifications
continue to fall short. They see a hermetic system and say, academia really traditionally
encourages people to stay within academia and not get out and learn new things and come back.
In his black hat address, Facebook's security chief made a strong pitch
for more empathy in the security profession.
Only this, he suggests, is likely to produce much-needed change,
particularly in opening the industry to those who've previously felt excluded or marginalized.
He stressed that recruiting is one thing, retention quite another,
and that companies should work to keep the talent they bring in.
The Game of Drones at Black Hat,
it's like Game of Thrones, but you got that right,
just trying to be helpful here,
well, it showed that stopping drone incursions is harder than it looks.
Security firm Bishop Fox has taken a look at the anti-drone market
and found lots of stuff that looks as if Rube Goldberg and Heath Robinson had been retrained by the Acme Company as engineering consultants.
They've seen jammers, bazookas that shoot nets, other drones that go up and dogfight the intruding drones, and so on.
Bishop Fox notes cautiously that many of these may be illegal in certain jurisdictions, especially the jammers.
that many of these may be illegal in certain jurisdictions,
especially the jammers.
The authorities might have fewer problems with your bazooka than with your attempts at me-conning an unwelcome drone.
So get smart and lawyer up
before you take matters into your own hands.
We're sure there's some Second Amendment jurisprudence on this
waiting to be litigated in the U.S., right, counselors?
Or just get in touch with Wile E. Coyote.
He is, after all, a super genius.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of
herself. Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film
from Searchlight Pictures. Stream Night Bitch January 24 only on Disney+.
And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joining me once again is Ben Yellen. Thank you. In this case, the FBI is investigating a Minnesota man after he took his computer into the Geek Squad and they turned him in.
So every time that you go to the Geek Squad, when you are consenting to service, you sign a piece of paper that says that they discover any illegal illicit material on your device, that they have the right to send it to law enforcement. So it's pretty clear based on that and based on the
principle that when you bring anything into the public sphere, when you submit any of your
information to a third party, you are forfeiting your reasonable expectation of privacy in that
information. The particular issue here is that there were allegations that the FBI was paying
the geek squad to detect information from an individual's computer
and use that in a law enforcement investigation.
And that could potentially run afoul with the Fourth Amendment's prohibition on illegal searches and seizures,
particularly when they're using this forensic software program.
In one of the instances, in a different case, an image was found, was located on the
drive's unallocated space. And that's a place that contains deleted data. So it would be difficult
to prove, for example, that somebody knowingly possessed that data. And that presents Fourth
Amendment issues because you don't have probable cause that someone actually has child pornography,
yet you're doing the search regardless. So this is the difference between, say, the Geek Squad folks happening upon something
and actively seeking it out?
Yeah, exactly.
So when the Geek Squad stumbles upon it in the course of their technological repair work,
that's one thing.
When it's a coordinated effort between the FBI and the geek squad, when they're working
together to figure out how to search an individual's computer, you start to almost get into
issues of entrapment. Is this just a backdoor way of doing a search that runs afoul of our Fourth
Amendment principles, where you actually have to have a reason, probable cause, to search somebody's
private information? If it's in plain view, I think somebody who had
child pornography on their computer is going to be completely out of luck. But if it's the FBI
using the Geek Squad and using their information security knowledge about how to extract
information that's not in plain view on one's computer, then we start to run afoul of Fourth
Amendment principles. And so just to be clear, this is an allegation.
It has not been established that this is actually what was going on, correct?
Yeah. So neither the Geek Squad nor the FBI has confirmed this relationship, although
I think one of the parties admitted that there has been a similar relationship in the past. I think
somebody from the Geek Squad, while they say we don't work for the FBI,
he acknowledged that supervisors have received payments for the FBI in years past,
but those Geek Squad employees were summarily dismissed because it's against company policy.
So those employees were not employed when this latest case came to light.
We'll keep an eye on it.
As always, Ben Yellen,
thanks for joining us. Cyber threats are evolving every second, and staying ahead is more than just
a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers. I'm Dave Bittner. Thanks for listening. Your business needs AI solutions that are not only
ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.