CyberWire Daily - Parliament gets its report on Russian hacking. A look at the cyber criminal economy. Russia says it has no hackers.
Episode Date: July 21, 2020The Intelligence and Security Committee of Parliament has rendered its report on the Russian cyber threat. Trend Micro reports on the workings of the cyber criminal underground economy. Ben Yelin on U....S. Customs and Border Protection collecting license plate data. Our guest is Kevin O'Brien from GreatHorn on the role of business policies in security to keep users safe during high-risk events. And it turns out that Russia has no hackers whatsoever: Moscow’s Finance Minister says so, so you can take that to the bank. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/140 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose,
and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Now at a special discount for our listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash N2K
and use promo code N2K at checkout.
The only way to get 20% off
is to go to joindeleteme.com slash N2K
and enter code N2K at checkout.
That's joindeleteme.com slash n2k, code n2k.
Trend Micro reports on the workings of the cybercriminal underground economy.
The Twitter hack still looks like a well-executed but half-baked criminal scam.
Ben Yellen on U.S. Customs and Border Protection collecting license plate data.
Our guest is Kevin O'Brien from Great Horn on the role of business policies in security to keep users safe during high-risk events.
And it turns out that Russia has no hackers whatsoever.
Moscow's finance minister says so,
so you can take that to the bank.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Tuesday, July 21st, 2020.
The UK's Intelligence and Security Committee of Parliament rendered its long-anticipated report
on Russian espionage and cyber operations at Westminster this morning. The redacted report
concludes that Russia's aims are primarily negative, paranoid, also fundamentally nihilistic,
seeking to disrupt and damage rivals.
Moscow's subsidiary positive substantive goals include sustaining its prestige as a great power
and preserving its rulers' privileged positions.
The committee outlines extensive Russian disinformation operations against the UK.
These have pursued goals observed elsewhere, including the opportunistic exploitation
of existing social fissures to erode trust in civil society and the institutions that serve it.
Russia is assessed, unsurprisingly, as a highly capable cyber actor with a proven capability to
carry out operations which can deliver a range of impacts across any sector.
A striking feature of Russia's cyber capability is the close and symbiotic relationship
its intelligence and security services enjoy with Russian organized crime.
This relationship, which includes corrupt business operations,
is seen as so close as to render the gangs, the contractors, and the state
operators effectively indistinguishable, but the security and intelligence services are the ones
calling the shots. The criminals are compromised, suborned, and controlled. They understand that
they operate at the sufferance of the organs. The committee's recommendations include closer cooperation with allies and new
authorities for the intelligence community. In many respects, the report covers similar ground
to that surveyed by the U.S. Cyberspace Solarium Commission. The report's title is the single word
Russia, but the committee's discussion of Russian activities makes frequent reference to the cyber threats posed by China, Iran, and North Korea as well. It expresses a recognition of the difficulty of
properly and effectively balancing defensive resources across the four familiar adversaries.
The report also makes note of the United Kingdom's development of an effective offensive capability suitable for deterrence and, when necessary, retaliation.
The committee appreciates that Russia is a hard target for intelligence collection.
It also notes that both collection and active cyber-offensive measures against Russia carry a distinct risk.
Quote,
In the case of Russia, the potential for escalation is particularly potent.
The Russian regime is paranoid about Western intelligence activities and is not able to treat
objectively international condemnation of its actions. It views any such moves as Western
efforts to encourage internal protest and regime change. The risk is compounded by limitations on UK engagement with the Russian government
at official and political levels,
making deciphering Russian leadership intent even more difficult.
And Moscow's centralized decision-making,
seen as distinctively shaped by President Putin's personality and style of government,
has given Russia a surprising
agility in cyber conflict. Her Majesty's Government is also soliciting comment on a
proposal to improve the security of the Internet of Things, particularly consumer smart devices.
The highlights of the proposed new measures are, as summarized by Lot Australia, first,
temporarily ban the supply or sale of the product while tests are undertaken. Second, permanently ban insecure products if a
breach of the regulations is identified. Third, serve a recall notice compelling manufacturers
or retailers to take steps to organize the return of the insecure product from consumers.
retailers to take steps to organize the return of the insecure product from consumers, and finally apply to the court for an order for the confiscation or destruction of a dangerous product,
issue a penalty notice imposing a fine directly on a business. Comments are due by September 6th.
Kevin O'Brien is CEO and co-founder of email security company Great Horn.
He joins us with insights on the role of business policies in security to keep users safe during high-risk events.
In many ways, what we've seen over the course of the last, call it three months, as of the time we're recording this,
are examples of the kinds of situations that give rise to social engineering attacks,
and then by extension, phishing attacks and security attacks over email as a channel.
And that theme is very much, as you said, a broader one than just this current moment.
What sort of events rise to be called high-risk events?
What sort of things are we talking about here? What you're looking for whenever you're talking about social be called high-risk events? What sort of things are we talking about here?
What you're looking for whenever you're talking about social engineering and high-risk events
is something that creates a sense of urgency on the victim's behalf.
So global events that everybody is nervous about and the pandemic that we're currently
experiencing certainly qualifies would be a good example case
of that. But you can also see it where an organization might have people who are nervous
about their taxes. So every year, you get a spate of phishing attacks that are focused around tax
season, your W-2 is attached. Why? Because money's involved, and that's something
that creates a sense of urgency. Oh, my taxes are due, or I owe my taxes, or I'm going to get paid
money from the government because I overpaid. People are inherently like, I want to go look
at that right now. So money, health, family, job status, those are all the sorts of things that create high-risk moments.
And social engineers and attackers who get this understand how to condition people to
certain responses. And it's trivial to send you an email that says,
oh, I've got your COVID-19 update from the boss, but more advanced and sophisticated attackers will
do this over the course of days or
weeks or months, and you don't even realize you're being played. It's just another con,
and it can be a short con or a long con. Email is just a convenient delivery mechanism because
every professional has an email address. So what's the solution for an organization here?
Are there technical solutions? Does it come down to training? How do we dial in a response here? Are there technical solutions? Does it come down to training? How do we dial in a response
here? There are so many vendors out there who claim that they have some thing that they'll
sell you and it's going to solve the problem. And it's really just honestly insane to think
that that's the case. The problem is there's no one thing that you do. There's almost this
assumption that this is a problem that can't be solved
because it's difficult to solve. And I think that for the listeners, that is really the thing that
we need to challenge, the assumption that this is an intractable problem because it is not.
And I think that overcoming that fatigue is the story behind the story.
Why are things like COVID-19 emails out there?
Because they work, but we can still address that.
We can do better, but we do better by thinking about this strategically and laying out a
defense-in-depth strategy around security posture rather than, here's a thing you can
buy.
And I think that's the underlying point that really
I would underscore for your listeners. That's Kevin O'Brien from Great Horn.
Researchers at security firm Trend Micro today issued a report on the underworld's
cybercriminal economy. The principal offerings seen in fora catering to criminal customers are dedicated and virtual hosting providers,
service protection and anonymization providers, additional infrastructure provision,
such as in-browser botnet services, IoT hosting, telecommunications,
legitimate services used for malicious purposes, such as cloud services,
dynamic DNS hosting and SSL certificate provisioning, and so on.
There's some overlap between criminal-to-criminal fora and those dedicated to gaming, online marketing, and search engine optimization.
So how do buyers and sellers find one another?
Through familiar forms of online marketing.
Trend Micro says, quote, like any
business that sells goods and services to potential buyers, criminal sellers also advertise. Sellers
use different platforms to promote their products and services, chat channels, hacking forums, and
social media posts, end quote. So as always, it pays to advertise.
And finally, to return to the UK's new report on Russian cyber operations,
for its part, TASS is authorized to disclose that all that stuff in the Intelligence and Security Committee of Parliament's report on Russia is a bunch of hooey, that there are no Russian hackers.
Quote,
is a bunch of hooey that there are no Russian hackers.
Quote,
There are no hackers working for the Russian government,
so our government does not consider any actions by hackers,
nor does it coordinate them.
End quote.
That's from Russia's finance minister, Anton Siluanov.
He added that Russia was developing its own COVID-19 vaccine and therefore had no need to steal anyone else's, which besides it also did not do.
And by the way, the inflated cyber hysteria isn't going to slow down Russia's vibrant and growing economy.
In a nice touch, TASS sources its story to an interview Mr. Siluanov gave to CNBC.
All politics may be local,
but all news seems to be global. We could go skating. Too icy. We could book a vacation. Like somewhere hot. Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat self-packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to
evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home. Black
Cloak's award-winning digital executive protection platform secures their personal devices, home
networks, and connected lives. Because when executives are compromised at home, your company
is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He is from the University of Maryland Center for Health
and Homeland Security and also my co-host over on the Caveat podcast. Ben, great to have you back.
Good to be with you again, Dave.
An article came by, this is from the folks over at TechCrunch, written by Zach Whitaker,
and it's titled, CBP says it's unrealistic for Americans to avoid its license plate surveillance.
These are our friends over at the U.S. Customs and Border Protection Agency.
Bring us up to date here, Ben. What's going on?
Well, I hope you really have friends over there because otherwise, you know, we're both
going to be subject to a lot of data collection.
So this is about license plates readers.
CBP purchases data from commercial license plate readers all across the country. They aggregate that data
from some commercial companies, some private companies, but also some public sources. So
law enforcement security cameras. And this is to augment its border enforcement efforts.
Now, you'd think this would be limited to the area around the border, maybe 100 miles from our
southern or northern border.
But from what this disclosure is saying is it actually exists all over the country.
That in order to fulfill their obligations, this agency, CBP, is collecting license plate
data even if individuals are not close to the border at all.
And the message they're sending users here is there's really no way to
protect your privacy. Your license plate, if you decide to drive on the road, is going to be
collected and put in this database. And there's really not much you can do about it. We now have
the technology so that cameras can capture thousands of license plates every minute. It's a great way to track the location of vehicles and
persons inside those vehicles. And, you know, this is sort of a warning shot on the part of
Customs and Border Protection saying, don't come to us in court saying you had an expectation of
privacy, because you do not. We're collecting a lot of information. We're scanning it. There's not much you can do about it
unless you decide to never go on the roads at all.
So not great from the perspective of the average person
who's just going to get their groceries
and doesn't want to be caught by a license plate reader.
Hmm.
Yeah, I have to say, as someone who initially had raised eyebrows over the CBP's 100-mile border zone, which is basically this range near any border, 100 miles from any border, which puts a huge percentage of the U.S. population in their sights.
It sure does, yes.
All the time because, you know, cities,
surprise, surprise, cities pop up near port towns. Yeah, shocker. Yeah, so for those of us who are
skeptical of that, to see that they have extended their reach to everywhere, that, my eyebrows are
near the back of my head now.
Yeah, I mean, I think it's, from their perspective,
it's one of the things that we have to accept about modern life.
I mean, the individual representative from CBP who was interviewed here said,
look, I can't protect myself from speed cameras.
If I'm going on the road and there's a speed camera there,
they're going to take a picture if I go 40 miles an hour in a 25 mile an hour zone.
And that's exactly what's happening here.
And the essence of that is something we've talked about, that as far as the legal system is concerned, if you put yourself in public, whatever is collected about you really from any source,
from any source, whatever is collected about you from a security camera, from a law enforcement officer with binoculars is fair game to be used in future criminal proceedings. And the warning
here is basically saying you don't have any way to protect yourself. If you're going somewhere to
commit a crime or to violate the policies of the Department of Homeland Security
or our immigration services, and you're, you know, doing that in a car, we're going to catch you
because our system is that ubiquitous. And, you know, I hate to see these circumstances where
the public is basically told there's nothing that can be done to protect their
private information. Now, there are some mitigation efforts involved in this. They say that, you know,
the only time they'll actually search these databases is if there's, quote, circumstantial
evidence that some sort of criminal activity or illegal activity has occurred. That's a pretty
low bar to obtain that information. And they said that they only keep the data for five years.
But when I think about where I was five years ago,
it kind of seems like a long time to me.
So do they need a warrant?
Absolutely not.
No warrant is required because of the so-called plain view doctrine.
This was something that was observed,
albeit something observed by an
artificial system, not by a human being, but it was observed in public. And when you expose yourself
in public and you don't make any attempt to conceal your identity, then there is no violation
of your expectation of privacy, of your reasonable expectation of privacy, and therefore there's no Fourth Amendment event.
Yeah, boy, it's interesting because I guess we get into that whole thing of
driving a motor vehicle is a privilege, not a right. And if I'm walking around on the street,
I may put on a hat and some sunglasses to try to maintain my privacy. But if I cover up my
license plate, that's going to draw even more attention to me on the road.
Yeah, you're probably going to get pulled over.
That's something I do not recommend doing.
All right.
Well, again, the article is written by Zach Whitaker over on TechCrunch.
It's titled,
CVP says it's unrealistic for Americans to avoid its license plate surveillance.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. but also practical and adaptable. That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.