CyberWire Daily - Operation Parliament seems to have got what it came for. EITest finally sinkholed. Facebook testimony on Capitol Hill. Estonia reports. Swatting case teaches nothing?
Episode Date: April 13, 2018In today's podcast, we hear that, while the operators behind Operation Parliament pretend to be nothing but a bunch of skids, they're anything but. EITest gets taken down. Facebook this week face...d questions about privacy and ideological bias. Most observers think these questions were largely ducked. Estonia's Annual Report on security is worth reading no matter where you live. And an accused swatter seems to have learned nothing from his experience. Dr. Charles Clancy from the Hume Center at VA Tech, discussing LTE network vulnerabilities. Guest is Dinah Davis from CodeLikeaGirl.io and Arctic Wolf Networks, discussing diversity at tech conferences. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Operation Parliament pretends to be nothing but a bunch of skids,
but they're anything but.
EI test gets taken down.
Facebook this week faced questions about privacy and ideological bias.
Most observers think these questions were largely ducked.
Estonia's annual report on security is worth reading no matter where you live.
And an accused swatter seems to have learned nothing from his experience.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your Cyber Wire summary for Friday,
lucky April 13th, 2018.
Kaspersky describes Operation Parliament, a wide-ranging cyber espionage campaign that since early 2017
has cloaked its activities by pretending to be the Gaza Cyber Gang,
a well-known and not well-respected
group of skids.
The actor behind Operation Parliament appears anything but unsophisticated.
The malware it used is still under study, but it does not appear to have any obvious
relationship with previously seen attack code.
Targets were carefully verified before infection, and Kaspersky says the unidentified operators did just enough to achieve their goals.
Most of the organizations targeted were in the Middle East and North Africa, but infections extended to Europe, South Korea, and North America as well.
The campaign has slowed since the beginning of 2018, suggesting the spies got what they came for.
Proofpoint has successfully sinkholed what they call the oldest running infection chain,
EI-Test.
They say the campaign, active since 2011,
seems to have been purely criminal as opposed to state-directed.
The large network of compromised servers it used, about 51,000,
and its concealment of its command-and-control infrastructure
behind a domain-generation algorithm made it unusually resistant to takedown.
Proofpoint says that EITES passed filtered, high-quality traffic to threat actors, operating
exploit kits, and web-based social engineering schemes.
Facebook's sessions before Congress are over, with House inquisitors getting higher marks
from the media than did their Senate counterparts. Observers think that many of the upper House
members exhibited basic misconceptions about Facebook, social media, and indeed the Internet
to question Facebook's CEO Mark Zuckerberg closely. In the House, things were different.
He was asked tougher questions
about ideological bias and content filtering, and he was also asked by Representative Bobby Rush,
a Democrat of Illinois, what the difference was between the way Facebook collects data
and the way J. Edgar Hoover used to do it back when he was running the FBI.
The difference, Mr. Zuckerberg explained, is that with Facebook you control the
information. He said, quote, you put it there, you can take it down anytime. I know of no surveillance
operation that gives people that option, end quote. A partisan of the late Mr. Hoover might
have answered, no one told you to pick up that phone or attend that church or go to that rally,
no one told you to pick up that phone or attend that church or go to that rally.
So there.
It was, in fairness to Facebook, probably harder to get the FBI circa 1950 to destroy a dossier than it might be to get Facebook to delete your data.
It should become easier to get that data deleted
as Facebook brings itself into compliance with European data handling regulations,
particularly the poignantly named right to be forgotten.
One of the tougher questions from the House concerned shadow profiles,
information Facebook maintains on people who aren't Facebook users.
Such profiles include information gleaned on them from third parties who are Facebook users,
and they can include, according to an account in Popular Mechanics,
quote, all sorts of information that could be used to identify a given person,
their name and phone number, email addresses, physical addresses, and so on, end quote.
Mr. Zuckerberg dodged the question, professing no familiarity with shadow profiles,
but the issue remains an open one.
Mr. Zuckerberg answered questions about ideological bias with assurances that the
20,000 content moderators Facebook is hiring, working in partnership with the advanced artificial
intelligence it's bringing on board, would restrict things like hate speech and terrorist messaging
being, in his words, things we would all agree on. In general, the House members, particularly
Republicans,
notably Representatives Fred Upton of Michigan,
Joe Barton of Texas, and Marsha Blackburn of Tennessee,
were unconvinced, trotting out examples of people who were kicked off Facebook
for apparently simply holding conservative views.
These, Mr. Zuckerberg explained as mistakes
that Facebook either had corrected or would correct soon.
In general, during the hearings, Facebook was determined to represent itself as a technology
firm and not a media company.
A media company would be expected to be held accountable for its content, whereas a technology
company would generally be thought of as a content-neutral conduit for users' communications.
Mr. Zuckerberg did indicate that Facebook remained committed to its advertising-based
revenue model and that he expected to come under more regulation in the future.
For a foreshadowing of what such regulation might look like, see GDPR.
There will be a European court test for the social media giant soon.
The Irish High Court has referred a case brought by an Austrian
lawyer and privacy activist to the European Court of Justice. Max Schrems brought his
case to the Irish Data Commissioner in 2013 because Facebook's European operations are
headquartered in Dublin. He alleged that his data was being transferred to U.S. authorities
without his permission. It's expected that the European Court of Justice will rule on the matter in about 18 months.
We're pleased to announce the 5th Annual
Women in Cybersecurity Reception,
which this year will be held at the new Spy Museum
in Washington, D.C.
The event is October 18, 2018,
and once again will help leaders from the private sector,
academia, and government from across the
region, and at varying points in the
career spectrum, connect with one another
to strengthen relationships and build new
ones. We've got sponsorships
available, so to find out more about the event,
head to thecyberwire.com
slash WCS.
We hope to see you there.
Those interested in seeing how a small country punches far, far above its weight in cyberspace
will find the Estonian Internal Security Service's newly released annual report for 2017 good reading.
The chapter Defending the Constitutional Order is particularly worth
attention. It consists largely of a well-informed consideration of Russian influence operations,
placing them in historical context, and showing the disparate forms they've taken over the past
year. If you thought Kremlin trolling was confined to what the Internet Research Agency did to
Facebook from under its bridge on the Nea, think again.
And finally, in an update to an unusually repellent and tragic criminal case,
we see how online disinhibition isn't really even much affected by jail time.
Tyler Barris, 25, the Los Angeles man alleged to have made a bogus 911 swatting call
that resulted in Wichita, Kansas police shooting a man, alleged to have made a bogus 911 swatting call that resulted in Wichita, Kansas police
shooting a man, has apparently tweeted boasts of his being an e-god and threats to swat
social media interlocutors.
He's done so from a misconfigured kiosk in the Kansas jail where he's being held pending
trial.
The kiosk is intended to let inmates make such minor purchases from the jail's commissary
as they may need, but not to give them internet access. The sheriff is on it now, and so the world
will no longer receive Mr. Barris's philosophical musings, but that he thought those tweets worth
sharing argues for a sad disconnection. The swatting incident Mr. Barris is accused of
involved a dispute among Call of Duty
players. The man who was killed, Andrew Finch, age 28 and father of a small child, was completely
uninvolved, innocent, and unarmed. It would seem that some people learn nothing and that their
ability to discern the difference between cyberspace, where one respawns after being killed,
and reality, where one doesn't, is to say the least, impaired.
Mr. Barris, of course, is entitled to the legal presumption of innocence.
Mr. Finch, alas, can only be mourned.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is dr charles clancy he's the director of the hume center for national
security and technology at virginia tech dr clancy uh welcome back you wanted to discuss today
some vulnerabilities when it comes to lte technology what can you share today um i wanted
to share some recent research coming out of Purdue, where they demonstrated a whole series
of new attacks against LTE. Now, the majority of them are fairly minor. They aren't going to cause
major new capabilities for an adversary that they don't already have. But one of the interesting
things that the paper pointed out was that the paging channel used in LTE is not authenticated,
which has some interesting potential ramifications.
So if you'll recall a few months ago, there was the big emergency alert that went out in Hawaii
that threatened an incoming missile attack, which clearly got a lot of people concerned about how
our emergency alert systems work. In that case, it was human and policy error that caused
that incorrect alert to be released. However, there are vulnerabilities in the telecommunication
system that could lead to someone being able to maliciously spoof such a message.
And in particular, the researchers from Purdue pointed out that the unauthenticated paging
channel would allow a bad actor to locally cause cell phones in a particular region to potentially receive a malicious or faulty emergency alert that obviously could cause disruption and confusion.
Unpack this for us. So explain to me, what is the paging channel? Is that separate from, is that a dedicated channel separate from other communications methods to your mobile device?
Exactly.
So within the LTE protocol standard, there's a variety of different ways that your phone can talk to the tower.
These are different channels that exist within the link between your phone and the eNodeB or the base station, as it's called.
There are the standard channels that you would use for voice and data as part of just
using the cell phone network. But then there's also a variety of control channels that are used
by the network to know where your phone is, be able to find your phone if someone calls you,
things of that nature. So the paging channel is one of those control channels that's really used
to try and just make sure that, let's say, for example, there's an incoming phone call and the network needs to know precisely which tower you're
connected to.
It can send out a paging message to try and find you.
That same channel is also used to deliver things like Amber Alerts and other sort of
broadcast emergency alerts.
And like I said, that channel doesn't have any cryptographic protection, which means
that anyone could spoof a message in that band.
cryptographic protection, which means that anyone could spoof a message in that band.
So has there been any examples of that out in the wild, or is this speculative so far?
Well, the researchers at Purdue demonstrated in a laboratory that it was possible.
As far as I know, there hasn't been any actual over-the-air demonstrations of this as part of any kind of active hacker campaign. However, there's a lot of concern,
I think, that that may happen. So obviously, we're seeing hackers get more sophisticated when it
comes to telephony-oriented attacks, for example, with the telephony denial of service attacks that
will clog up a 911 center's inbound phone lines to prevent them from being able to respond to an
emergency.
You can imagine similar sorts of disruptions being possible through this channel.
So one of the things we're doing right now is pushing the 3GPP, which is the standards body for the cell phone ecosystem, to add authentication to that channel to prevent
attacks like that from being effective in the future.
All right.
Interesting stuff. Dr. Charles Clancy, thanks for joining us.
Thanks a lot.
And joining me once again is Dinah Davis. She heads up codelikeagirl.io. She's also the director
of R&D at Arctic Wolf Networks.
Diana, welcome back.
Thank you.
Happy to be here.
So recently you attended InfoSec World, and we just wanted to touch base about that, what your experience was like.
What can you share with us?
Yeah, it was really awesome.
We were fortunate enough to sponsor it from a Code Like a Girl's perspective.
to sponsor it from a Code Like a Girl's perspective.
We did that because they had had a very low number of CFP applications to do their speaker series from women.
And we wanted to encourage more women to attend the event
so that maybe they would consider applying to speak at it next year
so they could up the ratio of session speakers.
The other awesome part was that they had a 50-50 ratio of keynote speakers based on gender.
And one of the most interesting talks actually was done by a dog. not literally a dog, but, um, it was all about this dog that helped expose
Jared, the subway guy.
Um, so they have, they have trained dogs to smell electronics.
There's a compound in the chips that the dogs can smell.
And, uh, what they do is they go in after search warrants and search the house again.
Um, and then the dogs are often able
to find, you know, tiny things like thumb drives and stuff that often have nefarious stuff on them
or child pornography and things like that. And this dog had gone and helped find key evidence
for the Jared, the subway case. Um, yeah, so that was really cool. Um, and then they, they showed how the dog did their work and the dog was a female dog. So that was really cool. And then they showed how the dog did their
work. And the dog was a female dog. So that was interesting, too. That was, you know, great.
Did they count that as one of the women speakers?
No.
Okay, good, good.
It was actually her handler that was a speaker and he was a guy.
Oh, well.
That's okay. That's okay.
With a lot of the women that I speak with, they say that while things are getting better in the workplace,
that a lot of times these conferences are lagging behind in taking good care of women,
of being respectful and getting speakers lined up and things like that.
What was your sense from InfoSec world?
It sounds to me like they're making an effort. Having been there, do you feel like they're doing a good job?
I do think that that conference is trying to do the best they possibly can. There was a good
number of women attendees. I tweeted a lot. I live tweeted the event. and my favorite post was a picture of like a table full of women in security watching the keynote speech, the opening keynote speech.
And it actually got the was like the top trending tweet with the hashtag InfoSecWorld2018 for most of the week.
So that was a great top tweet.
The other top tweet that I had last that week was terrible. Basically, there's another
video podcaster and their marketing material has pictures, silhouettes of pinup women on them.
And there's a lot of people that defend it while it was came out in the 80s, 90s. It's like their
signature. And my opinion on that is, you know, like I walk around and I see that T-shirt and I see tons and tons and tons of people trying to get that T-shirt.
And it's degrading and it doesn't make me feel comfortable as a professional.
So that's not InfoSec World as a conference, really.
I mean, that's one of their vendors that came.
They don't have all that much control over that.
They're trying to do the best they can. Right. That was an interesting perspective to
me just because we've always had that logo. Does that mean that it's still appropriate today?
And they countered with, oh, yes, but we have one with men and women on it. But the woman was like
a Playboy pinup and the guy was like a larger coder with a backwards cap on. And I'm like, that's not that that's not the same
people. You're objectifying the woman and you're not objectifying the guy. That's not count.
Yeah. And there was a bit of a social media dust up about that. People coming
at you from both sides, both supporting and challenging you.
Yes, for sure. So there was kind of these two tweets from the week and one was like really awesome. And there was still even
people, one guy who responded to the table full of women. Why is this the top tweet at InfoSec
World? Shouldn't it be about the technology? And I'm like, well, yeah, I actually would like it to
be about the technology, too. But this is so rare that apparently it's getting a top tweet to have
a table full of women. The very fact that it stands out. Right, exactly. As soon as it doesn't stand out, it won't
be the top tweet. It won't be the thing we're talking about. It's a lot of these small things.
It's these, you know, tiny little thousand little cuts that the women at conferences see all the
time. And that's the stuff we have to start changing. We are looking at the speakers
and how many speakers you have that like what the gender ratio is there. And conferences are
getting better. It's not just up to conferences to make it welcoming for the women. It's also up
to all the vendors that are there. Now, did you have any dialogue with those folks? I imagine
you're standing there at their booth and you're looking at their materials and it raises your hackles.
Did you confront them there or how did you handle it?
I didn't.
And I'll tell you why I did it.
Because they were just marketing people from that company.
And there was a lot of people at that booth.
And I didn't see how my conversation with them would get me anywhere at that particular booth, right?
It's just their company's logo.
The marketing people that are there aren't going to be the ones that can make any kind
of change.
And it just didn't seem like the right time.
Now, maybe I should have gone back later when it wasn't so busy and had a conversation.
I can accept that.
Maybe that would have been a good thing to do. but I didn't think it would really influence any change. So looking back at
the conference, what are your recommendations for women who might want to attend a conference like
this? Other conferences like RSA, do you have any words of wisdom? I think InfoSec World is
fantastic. I highly recommend going as a woman in the field.
I found that the ratio of women at the conference was quite high in comparison to other conferences I've been to.
And a lot of their keynotes and panelists were women.
So I found it to be a very inclusive conference.
RSA, I am heading there next week.
We all know they had a big gaffe
at the beginning in early March
where they had only one keynote speaker
who was a woman,
and it was Monica Lewinsky.
And while Monica Lewinsky
is an expert in her field
of cyberbullying,
one speaker in their keynote series
being a woman of like,
you know, 10 or 12 keynotes is not appropriate.
Now, since then, they have actually done quite a good job at rectifying that. They have a few really amazing women speaking.
One is a Homeland Security lady.
One is the founder of Women Who Code.
I am looking forward to that. And I have signed up to
go to all of those talks to see what they're like. They shouldn't have had to have, you know,
a big media backlash to include those women in their conference in the first place.
All right, Dinah Davis from Code Like a Girl and Arctic Wolf Networks.
Thanks for joining us. Hopefully we'll cross paths next week at RSA.
Yeah, that's exciting.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions
that are not only ambitious,
but also practical and adaptable.
That's where Domo's AI and data products platform comes in. Thank you. gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.