CyberWire Daily - Observations on the Mueller Report. Doxing Iranian intelligence. Insecure messaging. Old Excel macros. Wipro hack and gift cards.
Episode Date: April 19, 2019Some observations on the Mueller Report, in particular its insight into what two specific GRU units were up to. (And some naming of DCLeaks and Guccifer 2.0 as GRU fronts.) Someone is doxing Iran’s ...OilRig cyberespionage group. A French government messaging app appears less secure than intended. Old Excel macros can still be exploited. And what were the Wipro hackers after? Gift cards, apparently. Malek Ben Salem from Accenture Labs on the Cisco Talos report on malware markets in Facebook groups. Guest is Barbara Lawler from Looker Data Sciences on GDPR, CCPA and the coming wave of privacy legislation. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_19.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Some observations on the Mueller report, in particular its insights into what two specific GRU units were up to.
Someone is doxing Iran's oil rig cyber espionage group.
A French government messaging app appears less secure than intended.
Old Excel macros can still be exploited.
And what were the WePro hackers after?
Gift cards, apparently.
From the CyberWire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for Friday, April 19th, 2019.
The U.S. Special Counsel's report on Russian interference in the 2016 presidential election was released in redacted form yesterday,
binding insufficient evidence of collusion, that is, conspiracy and coordination,
between the Trump campaign and Russian intelligence services, and offering no recommendation on obstruction. The Mueller report's conclusions about Russian operations
are unambiguous. The GRU's Unit 26165 did the hacking, and the Internet Research Agency managed the influence campaign.
The report also concluded that the GRU's Unit 74-455 retailed the results of the doxing
through its subsidiaries DC Links and Guccifer 2.0 and through a sympathetic Wikileaks.
It's perhaps not unreasonable to note that Wikileaks, for all of its pose of disinterested
commitment to transparency,
has never shown much disposition to similarly traffic in discreditable Russian material, like the Panama Papers.
Much the opposite, in fact.
So, not a wholly owned front like DC Links or Guccifer 2.0, but pretty close to being an agent of influence.
The report contains a good bit of information on how the GRU worked.
It began by spear phishing personnel in the Democratic National Committee and the Clinton campaign,
and following up that phishing expedition with credential theft.
Once inside targeted networks, the attackers used Mimikatz to harvest credentials.
They used X-Agent for screenshots and key logging
and W-Tunnel for data exfiltration. Middle servers were used to obfuscate the destination of the
traffic. While the Trump campaign thought it would benefit from discreditable material so released,
the investigation did not establish that any members of the campaign conspired or coordinated
with the Russians.
That's true of both the hacking and the subsequent social media campaigns.
According to the report, the investigation did not identify evidence that any U.S. persons knowingly or intentionally coordinated with the Russian organizations.
The report noted that collusion is not really a well-defined legal concept.
It's more a journalist's than a lawyer's term,
and so the report explained that what people call collusion,
the investigators treated as a combination of the legal concept of conspiracy
and the less formal concept of coordination, which lacks a settled legal definition.
The investigators approached their task within the framework of U.S. federal conspiracy law.
Since coordination appeared in the document appointing the special counsel,
the report explains that the investigation construed coordination
as requiring an agreement, tacit or express,
and that coordination required more than two parties simply taking actions
that were informed by or responding to one another's actions.
The discussion, we note, seems to be all about the GRU fancy bear, with its FSB colleague Cozy Bear not earning a mention,
unless it's buried obscurely in the report's 448 pages and we've just overlooked it.
Still, one bear is more than enough.
just overlooked it. Still, one bear is more than enough. Iran's APT-34, the hacking group also known as Oil Rig, is itself being doxed. A telegram channel called Read My Lips is dumping the group's
tools and some of its identities online. Wired compares them to the shadow brokers. Whoever they
are, and neither disgruntled insiders, opposition groups,
nor foreign intelligence services can be ruled out, their declared motive is exposing, quote,
this regime's real ugly face, end quote. Alphabet's Chronicle, Google's security corporate sister, has been watching Read My Lips, and they confirm that the tools being dumped do
indeed appear to be oil rig kit. The doxing group has so far published not only tools,
but also evidence of the intrusion points
used against some 66 organizations oil rig has targeted.
Also dumped are the IP addresses of servers Iranian intelligence uses,
and, more troubling for those so targeted,
the names and photographs of people ReadMyLip says are working for oil rig. The doxing Group explained,
We are exposing here the cyber tools, APT-34, Oil Rig, that the ruthless Iranian Ministry of Intelligence has been using against Iran's neighboring countries,
including names of the cruel managers and information about the activities and the goals of these cyber attacks.
information about the activities and the goals of these cyber attacks.
End quote.
The French government recently introduced its own in-house messaging service, CHOP.
Messages in CHOP are encrypted end-to-end and they're stored domestically in French servers outside the reach of foreign law.
Access to CHOP is supposed to be restricted to government officials, but researcher Elliot
Alderson, who goes by the hacker name Baptiste Robert,
succeeded without much difficulty
in getting himself an account
he was in no way entitled to.
So, back to the drawing board.
Researchers at security firm Avira
have found another way in which
well-intentioned and useful backwards compatibility
can cause problems.
Vulnerable Excel 4.0 macros with bugs some 25 years old
can still be exploited in current versions of Excel.
Microsoft recommends upgrading to Microsoft Visual Basic for applications.
Krebs on Security thinks the hackers behind the WePro attack may be a criminal gang,
not necessarily a nation-state as much earlier speculation maintained.
It appears that the hackers may have also targeted a number of other large IT firms,
competitors of WePro, although with what success, if any, they had remains unclear.
What were they after, if they were regular crooks and not working for a foreign intelligence service?
What were they after if they were regular crooks and not working for a foreign intelligence service?
Well, bulls for one thing, marketable PII on various individuals.
And of course, they were after opportunities to work gift card scams.
After all, the gift card scam is the gift that keeps on giving.
Calling all sellers. Thank you. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families
24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Malek Ben-Salem.
She's the Senior R&D Manager for Security at Accenture Labs.
Malek, it's great to have you back.
We recently had some news that came out about some groups that were making use of Facebook rather than the dark web to sell tools and tips and techniques for folks
who are up to no good.
What's your take on this?
Yeah, early April, the Cisco Telus Intelligence Group has reported on some Facebook groups
that have some shady activity, perhaps even illegal activity.
These included almost 400,000 members
in about 74 groups, which engaged in things like selling credit card numbers, identity theft,
selling forged IDs, wire fraud, tax fraud, DDoS attacks, you name it. What's interesting is that these groups were not hidden. With, you know, a simple
keyword search, you'd be able to identify them. And once you join one group with Facebook's current
recommendation algorithm, you will be presented with similar groups that engage in similar activity
for you to join. TELUS tried to take down these groups using Facebook's abuse reporting functionality.
Some were immediately taken down.
Others only had some specific posts removed.
To me, this raises a question about the efficacy of the abuse reporting function that Facebook
is relying on.
It doesn't seem that it's working well, especially knowing
that back in April of 2018, so a year ago, the well-known security reporter Brian Krebs also
alerted Facebook about dozens of Facebook groups where hackers offered similar illegal services.
I'm wondering, do you have any insights on the difficulty of this? I mean,
it seems as though when it comes to some things like pornography, for example, you know, Facebook
doesn't seem to have any trouble finding that sort of thing and shutting it down quickly. But
some of these other things that are more speech driven, they seem to be slower on the draw.
more speech-driven, they seem to be slower on the draw.
Exactly. And I think that's why Facebook is being criticized about their reliance, total reliance on this model of you guys report or you tell us when something is wrong.
I think there is a lot to be done there, a lot to be improved, again,
especially if you're relying on, if you can use a simple keyword search to identify these
groups. I think there is potential, there is an opportunity for Facebook to do more,
to apply artificial intelligence in order to detect such content and to take it down in a timely manner.
Yeah, I have to admit it, it leaves me scratching my head.
If regular folks can find this stuff with just a keyword search,
then why isn't Facebook behind the scenes implementing systems that look for those keywords
where it knows there could be problems and have someone take a look at it?
Exactly. And we know they're reading the content, right?
They're using it for profiling users and presenting ads to users.
So I think they have an opportunity to build trust with their users and to make sure that whatever they're reading can be used to
protect their own users from harm presented by these hacker groups.
Yeah. All right. Well, interesting insights. Malek Ben-Salem, thanks for joining us.
Thank you, Dave. My pleasure.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. My guest today is Barbara Lawler.
She's the Chief Privacy and Data Ethics Officer for Looker Data Sciences, a business analytics
and intelligence firm.
She's a leader in the data privacy world, having previously served as Chief Privacy
Officer at Intuit and Hewlett-Packard.
She holds leadership positions in a number of influential policy organizations and has testified before several U.S. congressional committees.
Part of our debate is actually what does privacy and data protection mean in the context of American values, American business, American innovation.
Actually, what do we mean by privacy?
What are the outcomes of possible regulation or legislation?
How is that balanced or should it be balanced against, I think,
what is the really unique American innovations that actually rely on pretty extensive use
and reuse of data about people or about their activities.
So, I mean, what is the historical foundation of how Americans think about privacy?
The historical foundations for many go back to some of the earlier waves of new technology.
many go back to some of the earlier waves of new technology. So you will find discussions about when photography came into being in the late 19th century and what that meant in the public commons
and in the private commons. If someone was capturing an image of you and then how was that
image commercialized. As we moved into the age of computers, it became this topic around massive processing of data and what does that look like when you can have massive
scale, massive amounts of data, but also the reverse of that microscope is the ability to
micro-target at an incredibly detailed, almost down to the individual level. And what does that
mean for our autonomy, our ability to make our own choices about who we interact with, the ability to control who we hang out with, who we associate with, and who decides that or who influences that.
So there's some pretty fundamental questions that historically have been around those kinds of concepts.
those kinds of concepts. I think the challenges that we're facing are around what, it goes back to what are American values and what does it mean to have a free and open society, in particular in
the United States, where we place the highest value on free speech, we place a high value on
transparency, and what does that mean when information is used or misused for purposes that
maybe a company wasn't clear about, either because they didn't want to be or they didn't know how to
be or they didn't know that they should. You know, when we look at what's happening in California
around CCPA, which I think it's important to underscore, is still a work in progress.
think it's important to underscore is still a work in progress. There are at least 40 proposed amendments to adjust or tweak CCPA. So it's definitely not baked yet. It just has a first
round of baking. But when we look at, for example, what was CCPA trying to solve? CCPA was trying to
solve issues around transparency and issues around control. Those actually aren't
new issues, but how they manifest in social media and connected devices. And what do we even know
about how our data as individuals is used, monetized, reused, or shared? And should we know?
Should we care? Should we have a say? And when should we have a say?
You initially reached out to me because there are some misperceptions about CCPA that you
wanted to clear up.
What are some common misperceptions there?
One of the misperceptions is, is there a financial incentive for companies to comply?
And I think there's some thinking that enforcement will be
weak and that there isn't a lot of enforcement incentive. If you look at the potential range
of fines as they've been proposed, it's important to look at that is when it's per issue, that it's
also per issue means per person. So let's say you have a database of 50,000 people
that in some way was sold or shared in violation of CCPA, whether it's $750 or 7,500, which is the
max, that's a per line item fee. So if you do the math on the worst case, $7,500 per incident times 50,000 gets you to about $375 million.
That is a significant financial incentive. I think the bigger incentive is the AGs actively
requested that there be private right of action, which means class action lawsuits.
And we've seen class action lawsuits proliferate in other areas of, I would say, consumer protection
and privacy protection.
And I think the risk for both business and individuals there is that often class action
lawsuits, there isn't a direct benefit to the actual consumer purported to protect.
The benefit may be to fund use for education and perhaps funding for those law firms themselves.
I think some of the other, not so much misperception about CCPA, but confusion is the
definitions aren't clear. I think we're all hoping that the AG's office, that one of his areas of
focus, as he stated, is to add clarity to the definitions. So are employees of organizations covered as
consumers in California? The way it's worded now, yes. Will that change? Potentially. There's
confusion about the definition of sell. You might say, I don't sell data. My company doesn't sell
data. But right now, the definition of sell is any exchange of value or consideration.
So if you're using a third-party vendor just to produce a podcast, for example, there is consideration.
There is value exchanged.
That's considered a sale.
You probably don't think about it as a sale.
But right now under CCPA, it is.
So those are the things that aren't always clear to folks and I think need to be cleared up.
The last one I would add is when a consumer requests what is a very large potential sample
of information, it's not really even a sample what's held about them, it's for 12 months. So
what that means is there is a 12-month look back. Did that look back start in January of 2019, which means if you haven't started thinking about that or planning for that, you're already late.
Will that start in January of 2020?
Will the effective date change?
Because the AG doesn't need to provide his final guidance until July of 2020.
So there are some interesting gaps that we hope will be closed on clarity on
when does a look back start, when will the effective date be, and some clarity around
those definitions that I think will give companies a much stronger sense of confidence
on the ability to actually comply with CCPA. What's your advice to people out there who are
trying to get a better handle on this? I think there's a sense that folks feel like they don't have control over their own data.
I think the first thing is that there are some great resources and a few different locations online that can show you how to actually control your privacy settings.
And these are basic things like if you're not using a mobile app anymore, delete the app.
Change your location settings.
One of the best organizations, Stay Safe Online, particularly around Data Privacy Day, which happens on January 28th every year,
there's a tremendous amount of resources for individuals as consumers in a business context and also as parents.
There's resources for teens.
There's additional resources for teens from the Cyber Angels organization, which focuses on teens and kids.
Girl Scouts has a program. You'll also see some
pretty good resources from organizations like the Privacy Rights Clearinghouse,
based out of San Diego, California. So there are a lot of places to go.
My advice is check your privacy settings. And you can do that by going into the settings menu of your
smartphone or the settings menu on the different web apps that you're using. And I think we're at
a stage where less is more. And what I mean by that is, if you looked at the average number of
apps on somebody's smartphones, they kind of stagnated, and I think there's a great opportunity for folks to really
take a look at, do I really need all of those apps? If I haven't used it in three months,
I should just get rid of it, because that just simplifies the opportunity for location tracking
and data collection that I may not know about or may just not be comfortable about.
That's Barbara Lawler. She's the Chief Privacy and
Data Ethics Officer for Looker Data Sciences.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is
Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.