CyberWire Daily - Phishing for credentials. Compromised Telegram accounts. Lateral movement. Crypto Wars updates. Data retention compliance. Iago did it for the lulz.
Episode Date: December 13, 2019Parties unknown are phishing for government credentials in at least eight countries. Some other parties unknown are compromising Telegram accounts in Russia. Lateral movement is in the news, but not t...he good, Lamar Jackson kind. A familiar order of battle in the Crypto Wars emerges, again. NSA’s IG reports on SIGINT data retention. And a peek into what we suppose we must call the minds of some of the people hacking Ring systems. Daniel Prince from Lancaster University on Cyber security testbeds for IoT research. Guest is David Belson with Internet Society on Russian “Sovereign Internet” Law. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/December/CyberWire_2019_12_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Parties Unknown are fishing for government credentials in at least eight countries.
Some other parties unknown are compromising telegram accounts in Russia.
Lateral movement is in the news, but not the good Lamar Jackson kind. A familiar order of
battle in the crypto wars emerges again. NSA's IG report on SIGINT data retention,
and a peek into what we suppose we must call the minds of some of the people hacking ring systems.
of some of the people hacking ring systems.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Friday, December 13th, 2019.
Researchers at Anomaly describe a phishing campaign apparently intended to harvest credentials from some 22 government agencies
and government contractors in several countries around the world.
U.S. targets have received the most attention, but Australia, China, Japan, Mexico, Peru, Poland, and Sweden were also prospected.
The U.S. targets include the Departments of Commerce, Energy, and Veteran Affairs.
No one, ZDNet says, has any idea who's behind the operation or what their ultimate
objective might be, but there's some speculation that the goal might be industrial espionage or
some related form of criminal activity. The phishing emails directed victims to a site where
they were asked to enter their credentials. About 120 bogus sites were deployed over the course of
the campaign. Forbes reports that Group IB is investigating compromises of Telegram accounts
belonging to a number of Russian entrepreneurs.
Attribution in this case is also mysterious,
but Group IB doesn't think the incidents involve any flaw in the messaging app.
The researchers do note that Telegram credentials are being widely traded in the dark web.
In the course of its investigation of exploits
leaked by the shadow brokers, Zscaler has found a botnet it's calling Bool Hero that excels at
lateral movement within its targets. The more lateral movement an attack technique is capable
of, the more dangerous it is to the networks it infests. TechDirt reports that Representative
Ro Khanna, a Democrat of California representing
the California 17th District, which includes much of Silicon Valley, sent a pro-encryption
letter to Senator Graham, Republican of South Carolina, who's running the Judiciary Committee's
hearing on encryption. Representative Khanna's position is pro-encryption, as is the position
of most of the tech companies. He also attached a letter from Pentagon CIO Dana Deasy
that stressed the importance and value of strong, end-to-end encryption.
Deasy's letter to Representative Khanna said, in part,
quote,
The importance of strong encryption and VPNs for our mobile workforce is imperative.
He closed with this sentence,
The department believes maintaining a domestic climate
for state-of-the-art security and encryption is critical to the protection of our national
security. This seems to have been the pattern in the crypto wars, at least in the U.S.
The Defense Department has been notably more pro-encryption than the Department of Justice.
The intelligence community has been quieter, but generally hasn't shown much disposition to jump on the anti-encryption
bandwagon. To some extent, this almost certainly reflects agencies' disposition to approve of the
things that make their jobs easier. Encryption makes the DOD's job easier, but it makes Justice's
job harder. In the U.S., NSA's Inspector General has found deficiencies in the agency's data
retention procedures. Some signals intelligence data have been retained beyond limits established by law and policy.
The IG looked at two representative data stores and found that the agency had retained a small
percentage of the large number of SIGINT data objects beyond legal and policy retention limits.
As the IG pointed out in the report's conclusion, the deficiencies the investigation found could have an effect on privacy and civil liberties.
The conclusion isn't that there's a major scandal or a great deal of nefarious collection underway, but rather that NSA has some work to do on compliance.
And compliance in this matter is important since it touches safeguards of civil liberties.
The IG made 11 recommendations
to improve NSA's compliance procedures. The agency accepted the findings and is working to bring its
procedures into compliance. The IG's report can also serve as a cautionary tale. Anyone who thinks
compliance is easy should ask NSA, which is a well-resourced and professional agency.
at Ask NSA, which is a well-resourced and professional agency.
And finally, did you know, have you heard, there are creeps abroad in cyberspace?
We've been seeing accounts of people whose ring cameras, which they've installed for the home security the system is designed to provide, have been hacked into by various
alleged human beings, who then use the system to wake people in the middle of the night,
telling people, I can see you in bed.
Frighten and swear at small children,
try to teach small children racist epithets, and so on.
Do these seem oddly pointless actions?
Yet someone's doing it.
We're sorry to say that at least some of those someones are, well, podcasters.
Many of the most repellent hacks were featured on the Nullcast podcast,
live-streamed on Discord, Vice reports. podcasters. Many of the most repellent hacks were featured on the Nulldcast podcast,
live-streamed on Discord, Vice reports. Vice's account offers an interesting inside look at the geniuses behind Nulldcast. Apparently, it was funny, a joke, you know, like what you might see
on Jackass or Impractical Jokers. Once the hacks began to gain media attention, most disapprovingly,
so bravo media on this one,
the podcasters struck a new high-minded and socially responsible tone, writing,
So the grammar's off, but the sentiment is surely one your high school civics teacher would approve of.
There's also some evidence that the performance artists of the Ring Caper are hearing footsteps of law enforcement. Vice found the following message on the Nullcast
Discord server. Hey Nullcast fans, we need to calm down on the ring trolling. We have three
investigations and two of us are already probably effed. Drop suggestions on what else we should do.
It will still happen, just on a smaller scale.
Thanks, the Nulledcast.
That's not exactly a ringing call to straighten up and fly right,
but at least they have the wit to realize that being effed is a bad thing.
But if they are really effed, it couldn't happen to an effing better bunch of effers.
So why did they do it?
Hope for the glory of being an influencer and remoter but more glittering hopes of influence-pumped wealth?
Maybe.
But it still seems like motiveless malice.
Motiveless malice is, alas, common enough in cyberspace, but it's also not new.
After all, Iago did it for the lulz. Calling all sellers. LULZ. Winning with purpose and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point that real-time visibility is critical for security, but when it comes to our
GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist,
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to be joined once again by Daniel Prince.
He's a senior lecturer in cybersecurity at Lancaster University.
Daniel, it's always great to have you back.
We wanted to touch today about some research that you all are working on when it comes to IoT,
and specifically some cybersecurity testbeds.
What do you have to share with us? Well, at Lancaster, one of the key things that we do is build things.
It's one of the core parts of our research.
Yes, we do the theoretical stuff,
but we also like to do a lot of the applied research,
really testing what it's like in a real environment.
But as part of that, we build a lot of test beds.
And one of the test beds we've been working on for nearly a decade now
is our industrial control systems research testbed.
And that's slowly, over the last couple of years, that's starting to develop into an Internet of Things testbed,
where we can really tackle some of the more interesting cybersecurity problems.
But one of the challenges that we're finding, one of the things I wanted to talk about,
is that when you move from ICS to IoT, you're moving to this completely different physical process.
So with industrial control systems, actually, it's quite straightforward to create something that emulates a water treatment work or electricity grid.
Notwithstanding, those are quite complex, but it's a defined and scoped process. But the problem with a lot of IoT type work is the process you're trying to emulate and simulate is that of people, that of a group of people working in a building.
If you're thinking about industrial IoT, yes, again, that's related to industrial processes.
But a lot of the IoT technology that sits around that also interacts with humans in a slightly different way than just your pure industrial control system.
So one of the challenges we're trying to tackle here at Lancaster is how do we build an IoT
test bed that enables us to have high accuracy around the human aspect of interaction with
those systems.
Is that a matter of that there's a much greater degree of complexity?
Well, yeah.
So when you think about, say, you're trying to simulate an IoT smart environment for a
building.
So you take the building that I work in, InfoLab, there's 60 academics that work in there, about
40 support staff.
Then you've got a whole number of businesses.
So you've got about 20 businesses that
work in that building. They've got four or five staff as well. So you're talking several hundred
people going in and out of that space. And then you've got a cafe in there as well. So it's a
great place to work, but you've got lots of people going through. Now, if we wanted to simulate or
practice in that SMI environment, yes, we can scope it down, but how do we scale it up? You know,
how do we simulate the up? How do we
simulate the behavior or emulate the behavior or capture the real world behavior of 200,
300 people on a day-to-day basis? Sitting around that is all the privacy and ethics concerns.
And this is one of the big challenges that we're facing as we're starting to develop our IoT
research, is that the actual physical process that we need to test is that of human
beings interacting in a social environment. And I suppose the range of potential devices
that can be brought in and made part of an IoT network is much broader than what you would have
to deal with with ICS. Yeah, one of the key things there as well is that the range of devices
are also the attack vectors. And you're never quite certain, actually, of the key things there as well is that the range of devices are also the attack vectors.
And you're never quite certain, actually, what the attacker might be trying to do.
We've heard all sorts of stories about attackers breaking into organizations via temperature sensors in fish tanks, for example.
And they all hang off similar or interconnected networks.
And a key part of the attack for IoT is really that human element,
probably, I would suggest, in a way that's much different to the ICS testbeds that we're used to.
Because of that, it's really important that we understand the way that the individuals
interact with that IoT environment much more than perhaps we do with ICS testbeds.
All right. Well, it's interesting research, to be sure. Daniel Prince, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
My guest today is David Belson.
He's Senior Director of Internet Research and Analysis at the Internet Society,
a group that has its origins in the Internet Engineering Task Force. Their stated mission
is to support and promote the development of the Internet as a global technical infrastructure,
a resource to enrich people's lives, and a force for good in society. My conversation
with David Belson focuses on Russia's sovereign Internet law and how efforts like it may ultimately affect a free and open global Internet.
So, I mean, right now, obviously, the law, the sovereign Internet law is focused on Russia and the Russian Internet in terms of tightening control over it with respect to DNS, with respect to filtering and deep packet inspection and so on.
The way it impacts the rest of the global internet, I guess, is a couple fold. One is that
it may make it more challenging for users outside of Russia to access resources that are hosted
within the country. So if you are an expat and you want to access Yandex or another tool or application that's hosted within the country,
it may be the case that it slows down or just becomes unaccessible for users from certain countries.
But I think that the bigger threat, to be honest, is that other countries are looking at this and monitoring the effort,
monitoring the potential success and looking to implement something similar
within their countries.
We saw this around last month, for instance.
They had a multi-day internet shutdown there.
And talking to some of the folks within the industry, it appears that it may have been
something of a trial run for their national intranet, which they've been talking about doing for several years.
I've heard some policy folks refer to it as the splinternet, that we'll have these sort of perhaps islands around the world.
What does it mean for internet providers, the folks who are routing the traffic around the globe?
It's a complex system to start with,
but I think it's going to wind up adding complexity
because you now have potentially these islands of connectivity
that exist within a country or outside of the country.
So questions of how do I route this traffic?
If the traffic's coming from within one of these splintered countries,
does it get routed outside the country. It doesn't have to stay within.
If I'm an international provider, an international backbone provider, I need to figure out, you know, can I reach endpoints within that given country?
And if so, how?
The Russian model now is talking about only exchanging traffic at specific approved Internet exchange points.
only exchanging traffic at specific approved internet exchange points.
So that may create challenges as well for these international providers, where today, because the Russian internet has grown up a little more freely over the years,
there are dozens of internet exchange points out there, or within the country, excuse me,
connecting hundreds of networks.
So that may change if I'm an international network provider or an international content provider going forward under this new law.
Does it mean that we'll end up with some pinch points where all data has to route through
specific areas for inspection, if you will, a border stop virtually?
Under this law, yes, absolutely in Russia.
That's what they've said is that domestic traffic will have to only be exchanged within these approved Internet exchange points.
There is a component within the law about switching to a effectively a national DNS system.
So basically where they can control the ability to enable a user to get
to Twitter.com or what have you, Wikipedia, whatever.
Not only are they potentially limiting the number of exchange points that the traffic
can go through, but they're also talking about implementing filtering and things like deep
packet inspection at those exchange points.
My understanding is that the providers locally are starting to warn users that this may result
in slower services,
ultimately, you know, because all the traffic has to go through those now limited number of
pinch points. Do we suppose that folks are going to spin up workarounds? I mean, I'm imagining
sort of the internet version of pirate radio stations. It's likely that they will try to.
You know, my understanding is that there's already been some efforts online
to talk about, okay, if this goes into place, here's how we can get around it.
That may be VPNs, it may be using alternative DNS providers,
it may be using alternative tools that can
enable traffic to masquerade. So traffic that's normally
over one protocol can sort of be smuggled over a different protocol that may not be getting filtered or maybe much harder to filter.
So I think that as this is implemented, we'll definitely see efforts to circumvent it.
What's been the response from other nations around the world?
You know, those who are interested in a free and open Internet?
Certainly not a positive one, at least among those countries.
For those of us that are interested in a free and open Internet, we don't want to see something like this.
You know, the other challenge as well is that these efforts ultimately reduce Internet resilience as a whole.
So the Internet is an interconnected network of networks.
It only works successfully when everybody is sort of behaving themselves and cooperating.
When these things start occurring,
it ultimately lowers the resiliency of the global internet.
That's a bug, not a feature.
Russia may be looking at it as a feature,
but for everybody else, it's really a problem.
So we may not see things immediately,
but I think over time we'll have to continue to watch and see,
are there any artifacts of what they're doing here?
But I think that we also need to continue to work as an industry and as a community to convince the legislators and the policymakers in countries that may be looking at this with interest that this is not the right approach and this is not the road that should be going down.
That they're free and open Internet is critically important.
And then it has ultimately, you know, a number of benefits for their country.
critically important and that it has ultimately, you know, a number of benefits for their country.
Even if they're looking at it and saying, you know, Jesus allows our citizens to communicate or to organize or what have you, there's a number of other impacts, another more other benefits that
open internet has for them as well that they need to really understand and focus on.
That's David Belson from the Internet Society.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too.
The CyberWire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.