CyberWire Daily - More coordinated inauthenticity taken down. The Westphalian system and cyber conflict. VPNs and an AV company sustain incidents. Assange and extradition.
Episode Date: October 22, 2019Facebook takes down more coordinated inauthenticity from Iran and Russia, and announces a new transparency policy about news sources. The former NSA Director schools an ICS security audience on the We...stphalian system. Three VPNs and one antivirus provider sustain breaches that may be contained, but that may also derive from exploitation of phantom accounts. Microsoft gets more EU scrutiny. And Mr. Assange gets another day in court. Johannes Ullrich from the SANS Technology Institute on phishing targeting the financial industry. Guest is Ori Eisen from Trusona on moving beyond phone numbers, usernames and passwords online. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_22.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook takes down more coordinated inauthenticity from Iran and Russia
and announces a new transparency policy about news sources.
The former NSA director schools an ICS security audience on the Westphalian system.
Three VPNs and one antivirus provider sustain breaches that may be contained, but that may
also derive from exploitation of phantom accounts.
Microsoft gets more EU scrutiny, and Mr. Assange gets another day in court.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, October 22, 2019.
Facebook announced yesterday that it's removed four distinct networks of accounts, pages,
and groups from Facebook and Instagram for engaging in coordinated inauthenticity.
Three of the networks originated in Iran, the fourth in Russia.
Two of the Iranian networks advanced a pro-Iranian, anti-Israeli, and anti-U.S. line.
Their audience was principally in the U.S. and the Francophone regions of the Middle East and North Africa.
The third promoted similar content to a Latin American audience.
The Russian network pursued Moscow's now-familiar strategy of deepening existing fissures in American civil society.
The policing of coordinated inauthenticity that Facebook and some other platforms are pursuing
seems to many a promising approach.
It serves clarity and transparency without necessarily engaging the platforms
in direct moderation or control of content.
Facebook also said it will begin labeling content from state-controlled media
not to censor them, but to hold them to a higher standard of transparency,
the Telegraph reports.
them to a higher standard of transparency, the Telegraph reports. Thus, we can expect Facebook to flag news from RT, to take an example often given, as emanating from a media service controlled
by the Russian government. We continue to cover Security Week's 2019 ICS Cybersecurity Conference.
Now in its second day, the conference this morning featured a fireside chat with
retired Admiral Mike Rogers, formerly Director, U.S. National Security Agency, and Commander,
U.S. Cyber Command. He reviewed the strategic motives of the opposition in cyberspace.
Singling out North Korea, Russia, and China, he noted that these adversaries have different
motives. North Korea seeks to circumvent the international sanctions
that continue to strangle its economy.
Russia's goal is basically disruption,
with Moscow strongly interested in eroding trust in Western
and especially in U.S. institutions.
China works in the service of its economic development,
and its characteristic activity is intellectual property theft.
What they have in common, however, is an understanding of cyber as embodying new military and espionage
capabilities, and they use those capabilities in the service of their strategic objectives.
So, Admiral Rogers made a case for approaching cybersecurity, in the context of national
security, as a risk management problem, and, he argued, sound risk management
should begin with an appreciation of the opponent's strategic goals.
When we work through that risk calculus, he emphasized that we inevitably work with constrained
financial and human resources.
We can't, he said, buy or human capital our way out of the problem.
Instead, we need to take risk-based decisions,
and to make sure that those decisions are informed by a sound understanding
of the opposition's strategy. We have to prioritize what we defend. As he put it,
if someone takes down an unclassified website, who cares, really? But if they get into a nuclear
command and control system, that's a very serious matter indeed.
Just passively responding will place us on the wrong side of the cost equation, Admiral Rogers argued.
In any conflict, quote, I want to engage in actions that shape my adversary's choices.
I want to drive him to make choices that benefit me, end quote.
This is as true in cyberspace as it is in any other domain.
He thinks that the future is about building integrated, multidisciplinary teams.
As he put it, you can't improvise teams in a crisis.
They must be formed in advance and exercised appropriately.
If you do this, then you have a proper basis for cooperation,
and in a crisis you're so much smarter and faster.
A lesson he said he learned from Russian cyber operations in 2016 was the importance of communicating
at high levels.
He said,
quote,
We thought that informing
the normal working level
in the private sector was sufficient.
If we were to do it over,
we should have taken it to CEOs,
CISOs,
and not the lower levels.
End quote.
And of course,
effective cooperations for security
requires effective information sharing. Admiral Rogers course, effective cooperations for security requires effective
information sharing. Admiral Rogers said, the pain of the one has to lead to the benefit of the many.
If it doesn't, then the pain of the one is forgotten and is repeated over and over and over again.
Discussion of nation-state activity against industrial control systems
inevitably raises questions about where responsibility for an appropriate response lies. Admiral Rogers pointed out that a response always
starts with a question. Are you confident you know who did this? This isn't easy to determine.
False flags are becoming more common, especially since one of the Russians' takeaways from their
experience in 2016 running information operations against the U.S.,
is that they need to cover their tracks.
For this reason, and for others,
he takes the view that hacking back, as it's popularly called,
is a non-starter.
Quote,
I'm a believer in the Westphalian model,
in which the application of force is fundamentally a governmental responsibility.
End quote.
Drawing upon an example he used in his days at NSA and Cyber Command,
he said that if you're the sheriff trying to keep order in a town,
the last thing you want is more people walking down the street carrying guns.
There's a spectrum of purely defensive actions that private companies can take,
but there are, he said, massive liability questions
surrounding any of the active measures people talk about. And he closed with an observation about kinetic versus cyber responses. The response to a
cyber attack need not itself be a cyber reprisal. Whenever there's a cyber attack, that attack has
a physical dimension to it. There's a server, for example, at a specific latitude and longitude.
There's a human being at a keyboard.
How to respond should be governed in all cases by the traditional laws of war,
and how to respond should above all be determined by considerations of proportionality.
We'll have more notes from Security Week's ICS Security Conference over the course of the week.
One of the most commonly heard bits of security advice these days
is to enable multi-factor authentication.
It's solid advice, and research shows that doing so
greatly reduces the odds of falling victim to any number of compromises.
Ori Eisen is CEO at Trusona.
He maintains that multi-factor is great, sure,
but why not rethink the whole username and password
thing altogether? So the 2FA wave kind of started about 20 years ago. And when we say the word 2FA
or two-factor authentication, what we are really saying is that there's always the first factor,
which is username and password, something that you know, and we need to augment it with a second
factor. In fact, that was the point where we should have realized something is wrong with using passwords
because we need to strengthen them.
And over time, for that second factor, we invented a multitude of things as an industry.
We had those tokens that changed numbers, and we had the KBAs, knowledge-based authentication,
like what's your mother's maiden name.
But over time, people realize that I can
just send you a text message to your phone with an OTP, a one-time passcode. And that became a very
prevalent 2FA way to authenticate. Unfortunately, today it's being foiled time and again,
and it is no longer serving its purpose. And what are the primary ways that it's being foiled?
It is no longer serving its purpose.
And what are the primary ways that it's being foiled?
If I call the telephone company that serves your phone,
and I pass the authentication challenge of your identity,
and it's pretty easy to do,
I can simply tell them that I got a new phone,
and I want to port my SIM to this new phone.
And then if I try to log into the bank, they send me as the attacker your one-time passcode, not you.
And the victim is not even aware that this is going on.
Well, let's delve into that some.
I think passwords have been around so long, and we use it in so many ways, that it's hard to imagine any other way.
But you're saying there are alternatives.
And I see that it's becoming more and more prevalent,
which is really good,
so people would see what it looks like.
But imagine you go to your bank,
and in addition to username, password, and login,
you have a new button called the passwordless login.
And all it does is once you click on it,
it takes you to a page with a QR code
that is changing every 30 seconds,
so it's not a sitting duck.
And in the app, the mobile app of your bank you have a button that allows you to open a scanner and you simply point
at the QR code that's it you don't have to remember anything you don't have to type anything
it's super secure because it changes every time and even if a crook was listening to the session
and copying it there's no way for them to retransmit it and gain access.
So it's maximum convenience for the user.
They don't have to do anything.
And super security on the other end.
And this technology already exists.
So, I mean, with something like this, is it possible to then jettison username and password altogether?
That is correct.
And I know it's hard to believe.
And some people say that can't be. But at our company and many of our clients, they simply do
not use username and password. From a new employee that joins, all they do is get a phone, they enter
the email of their corporate email, they register that phone to that. And from that moment on,
that is what they use.
That is their key or authenticator, but they have never set from the get-go username and password.
Are there any downsides to this approach? Is there any extra complications or roadblocks or
speed bumps? The only complication is that you need to have your phone with you,
and most people do, and for that reason
some security practitioners may leave username and password open for a little while until people
get used to it. But that's the only complication. You need to have this key because you don't want
to remember passwords in your head. What happens if I lose my device? So if you lose your device,
two things happen. First of all, no one can get in there because it's protected by biometrics. So there's no fear of a rogue getting into your
accounts. In addition, your CISO can just turn off that device so no one can get access with it.
And once you get your new phone, you simply re-register, re-prove your identity. The simplest
method is just by corporate email. Another level above it is to
show your driver license to the app. And that's it, you're in. Do you see us moving towards a day
when people just stop thinking about usernames and passwords that's become a thing from the past?
I think that in the next three to five years, if you do not offer username and password to your employees and your
customers, you will start to look like a has-been. It will be very similar to me using a fax today
to send you my resume, David. But I can tell you that the future is already here. It's just not
well distributed. But yes, over time, using passwords to open a new account will just look ridiculous.
That's Ori Eisen from Trusona.
NordVPN, TorGuard, and VikingVPN are said, by Ars Technica and others, to have experienced breaches that leaked encryption keys.
NordVPN and TorGuard have issued statements intended to reassure users that their security has not been seriously compromised.
Avast has suffered more issues with its CCleaner product.
The breach, which Avast says is now fixed, appears connected to exploitation by foreign intelligence services.
ZDNet says Czech intelligence services identified the culprit as China.
Krebs on security points to a common factor in the NordVPN and Avast Breaches, forgotten
user accounts.
The European Data Protection Supervisor has released an update on its ongoing investigation
of Microsoft's contracts with various European institutions.
That investigation remains incomplete, but the EDPS says that it has serious concerns over the adequacy of contractual provisions designed to ensure compliance with data protection rules.
And finally, Julian Assange is back in the news.
The WikiLeaks proprietor, having worn out his welcome and with it his asylum in Ecuador's London embassy, is presently serving time in a British jail.
Both Sweden and the US have expressed their interest in giving him a day in court.
Mr. Assange is more concerned about the U.S. charges he faces
and is fighting extradition across the Atlantic.
He says the U.S. indictment is politically motivated
and that his alleged crimes amount to political offenses.
Besides, it's also unfair.
The U.S. is notoriously well-resourced,
and he's a David without a slingshot against a Goliath with a horde of lawyers and even
psychologists behind him. Mr. Assange faces 17 counts under the Espionage Act and an 18th count
of conspiracy to hack a military computer. When asked by the British judge if he understood the charges against him, Mr. Assange, according to the Washington Post, mumbled,
not really. It's hard not to sympathize with the notion of him being a David, one supposes,
but the Post article seems to do a pretty good job of explaining the charges.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Johannes Ulrich. ulrich he's the dean of research at the sands technology
institute and also the host of the isc stormcast podcast johannes it's always great to have you
back you have been tracking some targeted phishing that's going after the financial industry
what do you have to share with us today? different and that you may actually fall for in this particular case the phishing was directed at a company that actually offers loans so they're used to for example for home loans to receive documents from title agencies and such and in this phishing email the phishing attack actually tried to claim to be one of these title agencies.
And now of course the recipient is used to receive links to download sites is used to receive attachments like PDFs.
So they actually use this email to then trick the victim to click on a link that would then steal their credentials for their cloud-based email service.
Do you have any tips for how to avoid this sort of thing?
I mean, this is something that's part of what they have to do to stay in business every day.
And exactly, that's sort of what the attacker is going after here.
Now, I think the defense here is really, how do you prevent the credentials from actually being used?
That's really what this is about.
What typically happens sort of as a follow up to these attacks is that the attacker would
use these email credentials then to log into this employee's email account.
And then typically, you would see some business email compromises a follow up.
So that's how they actually make money. So what you really need to protect is that
login to these cloud based mail services. And, you know, the
number one thing you can probably do here is some form of
two factor authentication.
So even if they get through and the phishing attempt is is
correct, the two factor will then thwart their attempt to
control that email account.
Yes, that's the hope here.
Now, there have been some tricks how attackers have taken advantage of two-factor and still
very able to actually compromise the account.
But those are much less common.
So two-factor is probably the simplest, if you want to call it simple, thing that you
can do to protect yourself against this. Yes, your
user education helps. I think another thing that you should do
is in your awareness education, don't just use these fairly easy
to recognize emails. But you show people, hey, last week, we
did receive one of these emails. That's actually I think one of
the things that I'm missing a lot in particular sort of from the financial industry and such that a lot of these emails. That's actually, I think, one of the things that I'm missing a lot, in particular, sort of from the financial industry and such, that a lot of these attempts
aren't shared. Now, in this case, they didn't fall for it. Nobody clicked on it. No damage was done.
They did a job right. Why not share with others? Hey, we received this particular email.
Loan Depot, the company, shared this with us, they're very open about this. And I think
that helps others then to protect themselves. Because now I can show my users, this is an attack
that even a competitor or another company in our vertical here did receive. So be ready for it.
They're not just using these simple emails full of typos that aren't really of any interest to you.
So almost a herd immunity that the more information we can share, the safer we'll all be.
Yep. Information sharing, that's really what helps us really a lot. And we have to really
share better than the bad guys because they apparently are sharing a lot of their tricks.
Right, right. All right, Johannes Ulrich, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep
your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.