CyberWire Daily - Moscow HUMINT drought? Spying on the Patriarch. Ottoman hacktivism. Iranian information operations. ISIS in cyberspace. RtPOS malware discovered.
Episode Date: August 27, 2018In today's podcast, we discuss reports that suggest US HUMINT collection in Russia has dried up. Russian intelligence services are showing an interest in disrupting a grant of autonomy to the Ukrainia...n Orthodox Church by the Ecumenical Patriarch. Turkish hacktivism shows up in the US, as journalists' social media accounts are hijacked. A look at Iranian information operations. ISIS limps back into cyberspace. A new point-of-sale malware family is discovered. David Dufour from Webroot on the role of engineers in securing an organization. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_27.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Reports suggest U.S. human collection in Russia has dried up.
Russian intelligence services are showing an interest in disrupting a grant of autonomy
to the Ukrainian Orthodox Church
by the ecumenical patriarch.
Turkish hacktivism
shows up in the U.S.
as journalists' social media accounts
are hijacked.
A look at Iranian information operations,
ISIS limps back into cyberspace,
and a new point-of-sale malware family
is discovered.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, August 27, 2018.
As the week opens, there's considerable news of state-directed espionage and information operations,
as well as some efforts that may represent patriotic hacktivism closely aligned with state interests.
The New York Times reported over the weekend that CIA sources inside Russia have gone dark and have possibly gone underground,
leaving Langley with much less insight than it formerly had into Russian intentions,
especially intentions with respect to U.S. midterm elections.
The story cites sources inside the intelligence community
who say they think the agents probably went underground
as opposed to having been arrested or killed by Russian security services.
Commentators speculate about a range of causes for the agents' disappearance
These run from the Russian sources having been spooked and intimidated
By the attempted assassination of Sergei Skripal in Salisbury, England
To more aggressive and effective Russian counterintelligence
To the theory that the agents never existed in the first place
That third possibility is the least plausible. It's being retailed by
Russia Today in response to the New York Times piece. RT says that, quote, not for a moment do
the authors or their anonymous sources from inside the U.S. spy community contemplate the possibility
that Russia might not be doing anything at all. That, however, would upset the apple cart of Russian meddling,
carefully built from smoke and mirrors since mid-2016, and that just wouldn't do. End quote.
Forgive them the mixed metaphor of an apple cart's being built of smoke and mirrors,
although that indeed would be worth seeing, but their next claim is less forgivable.
RT thinks that concerns about Skripal's attempted assassination
by Novichok nerve agent is more evidence that the whole affair is bogus, because the Salisbury
attack is something, quote, for which the British authorities never provided any evidence, end quote.
Essentially, no thinking person outside the editorial staff of RT believes that.
Probably not even the editorial staff of RT itself.
But that's another apple cart.
In any case, the New York Times says that human intelligence,
HUMINT, about 2018 election influence operations, has dried up.
The story's developing. We shall see.
In other news that's been evergreen since A.D. 1054,
the Russian government is said to be collecting intelligence on the Orthodox Church.
This time the target is private correspondence of ecumenical Patriarch Bartholomew I,
whose seat is in Istanbul, formerly Constantinople.
Russian interests in Ukrainian religious developments apparently provides the proximate motive.
Patriarch Bartholomew is considering whether to grant the Ukrainian Orthodox Church autonomy from the Patriarch of Moscow.
Doing so would be seen in the Kremlin as an unwelcome blow to general Russian claims of transnational relevance and authority.
to general Russian claims of transnational relevance and authority.
Tensions between the U.S. and Turkey, connected to Turkey's detention of a U.S. missionary and Turkey's growing rapprochement with Russia,
have manifested themselves in hacktivism by supporters of Turkish President Erdogan.
CrowdStrike reports that members of the group Ayyildiz Tim
took over social media accounts
belonging to journalists at Fox News, Bloomberg, and the New York Times.
Ayyildiz Tim claims the support of Turkish security services,
but it's worth noting that Turkey has for some years had active groups of patriotic hacktivists.
Like Ayyildiz Tim, they often show an Ottoman nostalgia that marks the Turkish
government's current retreat from the republic's traditional Kamalist secularism.
Security and cyber intelligence firm FireEye is receiving mash notes from several newspapers.
The prize for most starstruck goes to the Los Angeles Times, which gushes about the company's analyst being the Navy SEALs of cyberspace.
Breathlessness aside, FireEye deserves credit for the work it's done over the past few weeks
identifying and unmasking the Iranian cyber operators
active in disinformation campaigns against regional and Western rivals and opponents.
Their advice facilitated takedowns of bogus, inauthentic sites representing
themselves as legitimate ones. Not the least of the company's contributions may be its account of
inauthenticity, which may be far more useful in countering information operations than criteria
like fake or hateful or inappropriate, all of which seem to enmesh social media and IT firms in problematic content
judgments. FireEye uses inauthentic to describe sites that are not transparent in their origins
and affiliations, undertake concerted efforts to mask those origins, and often use false social
media personas to promote their content. In the case of Iranian operations, the content on the bogus sites was in large part cut and pasted
from other original sites, sometimes altered,
and stitched together with poorly constructed passages
not written by native speakers of the languages in which they were cast.
The other large Iranian campaign currently under discussion
was described by SecureWorks under the name Cobalt Dickens.
This espionage effort, largely directed against university targets
and presumably being conducted to gain access to newly developed technology,
has exhibited connections with Iran's Mobna Institute,
named in earlier U.S. indictments of Iranian hackers.
Iranian cyber operations are generally thought likely to increase
as sanctions are reimposed on Tehran for its nuclear program.
U.S. Army Cyber Command's leader thinks ISIS will step up its online activity
as the small remaining physical territory of its aspiring caliphate shrinks to insignificance.
He's not alone.
The group now holds only small, discontinuous pockets in Syria and Iraq,
and it's increasingly being displaced by competing jihadist groups
in the struggle for adherence.
Its current online activities consist significantly in taking credit
for unrelated acts of ordinary, if brutal, crime, usually murders.
Researchers at Booz Allen Hamilton report on RT-POS,
a newly identified point-of-sale malware family.
RT-POS's lack of data exfiltration capability suggests, disturbingly,
that it's a post-compromise tool.
The researchers note that the malware is simple, highly automated,
and flies easily under much of the detection radar in place to watch for point-of-sale systems.
Security firm Securonix has an account of the theft of $13.5 million
from India's Cosmos Bank in the second week of this month.
It involved a malware infection, an ATM switch
compromise, and a compromise of the bank's Swift environment. They think the infection originated
with spear phishing, and they say the prime suspect is one of the usual ones, North Korea's
Lazarus Group.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by David DeFore.
He's the Senior Director of Cybersecurity and Engineering at Webroot.
David, welcome back.
We wanted to touch today some on the different roles that different team makers play in an organization when it comes to effective security.
And we wanted to talk about engineers.
There's some misunderstanding there.
What can you share with us?
Well, you know, I'm fortunate to run a great engineering org
inside of a cybersecurity company.
So we can look at things a little bit from a couple of perspectives.
You know, generally engineers have a really good deep knowledge of software,
how it works.
We're talking about computer engineers, of course.
So we have a great relationship with our CISO and our security organization.
So being in engineering, we can see things potentially that could be problems that other
folks in the organization may not witness to you. So we try to foster a relationship with our
engineering team to work with other organizations, marketing, sales, the CISO, just to kind of let them know what we're doing and our experience.
Now, how about communications?
I mean, do you have to come up with sort of a, I don't know, an unofficial Rosetta Stone
so that everybody can be speaking the same language?
You know, I don't know why you'd say that, David,
because engineers are the most clearly understandable people on the planet. Go on. Honestly, yes. You know, we have some
engineers that we joke, you know, some of our machine learning folks, they can only speak in
calculus. They think they're dumbing it down when they're writing, you know, formulas for you
instead of, you know, straight up calculus. So. But to your point, I think we've
identified several key folks inside of our organization who speak engineering and security
in a way that takes it out more broadly. And the good thing about that, identifying those types of
people, is it allows them to convey the excitement that engineering folks typically
have about what they're making and what they're doing to other parts of the organization, which
in our environment here then allows our sales and marketing folks to really take that excitement out
to the rest of the world. So to say every engineer can speak to everyone, I think that's a stretch.
But what you have to do is identify those folks
who can really take the message out of engineering into the rest of the organization.
And how do you foster that environment of collaboration and make sure that those folks
don't end up siloed? Yeah, you know, David, that's a great question. And the first thing you have to do is always, always keep pushing,
because it's very natural for folks to get heads down, to really want to focus on what they're
doing. Because most engineers, what they're doing, they love to do, and they'd rather just work on
that all day. So it takes effort and energy to push them. And so a lot of times your internal PR, external PR, they make a
great bridge for drawing people out to be able to communicate what they're doing. Sometimes as an
engineering management lead, I've got to set up discussions and force people to spread their
wings a little bit. But once they see folks are curious, once you're fostering those conversations,
it kind of starts to take on a natural life of its own,
but you do have to push and you've got to,
you know, you got to put energy into it.
Yeah. All right.
Well, it's a good perspective as always.
David DeFore, thanks for joining us.
Thanks for having me, David.
Thanks for having me, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your
company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash,
Stefan Vaziri, Kelsey Bond, Tim Nodar,
Joe Kerrigan, Carol Terrio,
Ben Yellen, Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back
here tomorrow. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.