CyberWire Daily - Ransomware deletes dupes. Exodus scandal grows in Italy. Election reports from Ukraine and Israel.
Episode Date: April 2, 2019In today’s podcast, we hear that a ransomware strain deletes duplicates. But you know that just keeping a duplicate on the same drive wasn’t a secure backup, right? Right? Exodus spyware, now ejec...ted from Google Play, is becoming a significant scandal in Italy. Influence operations meet campaigning in India and Israel--fair or unfair seems to be in the eye of the campaigner. In Ukraine, they’re just so much disinformation. OpIsrael hacktivists are expected back this weekend. More on below-the-belt selfies. Prof. Awais Rashid from University of Bristol on training people to work with cyber security complexity at scale. Guest is Hank Thomas from Strategic Cyber Ventures on the current environment for VC funding in cyber security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/April/CyberWire_2019_04_02.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A ransomware strain deletes duplicates.
But you know that just keeping a duplicate on the same drive isn't a secure backup, right?
Right?
Exodus spyware now ejected from Google Play is becoming a significant scandal in Italy.
Influence operations meet campaigning in India and Israel.
Fair or unfair seems to be in the eye of the campaigner.
In Ukraine, there's just so much disinformation.
Op Israel hacktivists are expected back this weekend.
And more on Below the Belt Selfies.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary
for Tuesday, April 2nd, 2019.
Bleeping computer reports some unusual behavior in a ransomware strand, VXCryptor.
The malware finds and deletes duplicate files on victim devices.
Why it does so is unclear.
It may be a simple step in the malware's evolution.
It may be a means of increasing the speed of the malware's functioning.
It may be something done out of a finicky sense of proper order,
tidying up, as bleeping computer muses.
It wouldn't be an attempt to clobber protective backups,
the single best way of preparing recovery from ransomware,
because no one would think that making a second copy of a file
and depositing it on the same drive would usually constitute a secure backup.
Right? I mean, right? Anywho, the why may be
mysterious, but the how isn't mysterious at all. As researcher Michael Gillespie tweeted in response
to researcher Lawrence Abraham's observations about VXCryptor, quote, it does a SHA-256 of the file,
and if it has already encrypted a file with that hash before, it deletes it. So any files that are The discovery of lawful intercept tools concealed in apps available in Google Play
may be on its way to becoming a major scandal in Italy.
Google has removed the Trojanized applications from its store.
The 25 apps
affected contain spyware called Exodus that researchers believe may have been produced by
Italian security company eServe. As Security Week notes, eServe has been difficult to contact about
the matter. The company's webpages appear to have been taken down. At any rate, we've been unable
to find them this afternoon.
eServe, by the way, should not be confused with similarly named companies and organizations.
The company in question is an Italian security software company,
not English surveyors or makers of opinion survey tools.
Motherboard says that prosecutors in Naples have opened an investigation into eServe.
The company's offices were apparently raided three weeks ago,
and the police are looking for four individuals in particular,
at least two of whom are or were eServe managers.
A number of media outlets, Security Week among them,
have observed that one disturbing thing about the whole affair is that Google's screening didn't catch the Exodus spyware
before it was made available in Google Play. Disturbing, that may be, but it's neither new nor particularly surprising.
Android apps are a pretty wide-open field, and while Google Play is a kind of walled garden,
its fences chain-link, and serpents have crawled in before. They will again.
With 2019 well underway, the investment opportunities in cybersecurity startups continue to attract the attention of venture capitalists on both U.S. coasts and around the world.
We checked in with Hank Thomas, CEO of Strategic Cyber Ventures, for his take on the market.
2018 was a record year for investing in cybersecurity. It doesn't correlate
directly to maybe sort of the bubble that was forming in the dot-com boom, but there
is record numbers of investment going into cybersecurity companies worldwide.
And what do you suppose is driving that? Well, I think it's sort of a big, big gets bigger.
of a big bid, it gets bigger. So it's a race to gobble up market share for companies that are in a crowded space. So if you're an endpoint security company and you want to take up market
share, the investors are going to want to put more and more money into that company to rev up that
marketing engine, to take up more of that market share and win the race to the top.
We've been hyper-focused on things that are highly differentiated and maybe slightly over
the horizon. But I think what most investors are focused on are things that they view as
deficits for innovation in larger cybersecurity players. So there's many larger cybersecurity
players out there with large cash balance seats. They take a review of what those deficits are for those larger players that
struggle to innovate, and they generally push their investments in those directions.
What's on the horizon in terms of risks for this particular market? Certainly, I know we're looking
at a potential, I think, here in the U.S. in any way for some new privacy regulation.
Is that going to affect things?
I think it will. I think it will really depend on the security control.
You know, some security controls require more aggregation of personal information.
Ultimately, you know, when you have a global network of adversaries that are going to be working to kind of defeat security
and cause a larger privacy concern
to populations in various regions of the world.
I think people are going to have to come to the conclusion that they're going to have
to balance the need for some data aggregation, some personal data aggregation around cybersecurity
with strong privacy laws.
And what are you seeing in terms of the global big picture?
I mean, things are still
focused in the U.S. So where are you seeing some other strong players? In the U.S., the West Coast
still kind of leads the way, although there's been an uptick in investing on the East Coast,
which is where our company is located, and in the Midwest and sort of some non-traditional areas
here in the U.S. You've seen an uptick in investing in cybersecurity.
The West Coast still leads the way.
China was really strong up until around 2017, and we saw a big fall off.
And I think that comes to the fact that most people were kind of whistling past the graveyard,
most investors, as to the lack of demand for Chinese cybersecurity products.
Almost sounds like an oxymoron in the global market.
So you've seen a big drop off in that.
But Israel obviously continues to trend up rapidly and has surpassed the U.K. even in investing in cybersecurity.
What is your advice for that person who's out there who thinks they may have a product that they want to take to market?
They think they built a better mousetrap.
What are the types of things that they need to do to attract investors?
Yeah, you know, I think having a looking at these things every week, I meet folks that have maybe a great idea and a PowerPoint slide to help explain it.
But they haven't really thought through the product to market fit.
They haven't thought through the strategy to get to break even.
If you don't want to become a bloated zombie floating in the sea of sameness
and cybersecurity, you really need to have a differentiated product.
And you really need to have studied the market to understand what's out there
beyond what you, you know, it's just sort of publicly available because there's other people like you thinking about starting things up like this.
And there are resources to figure out what they've done so far.
And also look at other companies that have failed.
There's plenty of research now that cybersecurity, while it's still a young industry, has been around for several decades now with a lot of investment going into it.
Look at failures and figure out what went wrong there and try to obviously not do those things.
That's Hank Thomas from Strategic Cyber Ventures.
India's election season is in full swing, and according to the Wall Street Journal,
government attempts to restrain fake news have yielded disappointing results. Politically loaded hoaxes are rampant on WhatsApp,
despite the Facebook subsidiary's attempts to control them. Much misinformation in India
seems domestic in origin, pushed by rival parties, and not really following the playbooks set by the
Russian intelligence services with trolling via inauthentic accounts.
It's an interesting development, especially given the House of Zuckerberg's recent trial balloons
about shifting more of its services to the sort of private messaging and small group chit-chat typified by WhatsApp.
Whatever the virtues of such an approach as a commercial matter,
it wouldn't appear to offer a royal road to the kind of clean and high-minded political discourse
Mr. Zuckerberg suggested over the weekend
he'd like to see the governments of the world regulate us into.
The first round of Ukraine's presidential election is over,
with a runoff between frontrunner Volodymyr Zelensky,
television actor and political neophyte,
and incumbent President Petro Poroshenko, scheduled for April 21.
TASS is authorized to disclose that Russia may decline to recognize the election results,
citing widespread fraud and intimidation.
A senator in the Duma offered this opinion, although he qualified it by saying that,
of course, the final decision on any such matter would rest with President Putin.
This seems more information operation than news.
The Russian state media organs have for some time been warming up on the Ukrainian election
with altruistic warnings of thuggery, intimidation, fraud, and so on.
Other observers saw no such problems.
Preliminary remarks by observers from NATO
and the Organization for Security Cooperation in Europe
were pretty upbeat about the quality of the election.
Israel's hotly contested election,
in which incumbent Prime Minister Benjamin Netanyahu
is being challenged by former IDF Chief of Staff Benny Gantz,
has also seen accusations of illegitimate use of social media
in the service of influencing the electorate.
Most of these allegations have come from candidate Gantz's new party,
Israel Resilience, and have been directed against Prime Minister Netanyahu's Likud.
Likud says the network is organized to advance a political viewpoint
and that it doesn't contain bots.
Activists of Op Israel are expected to hit Israeli targets this Sunday in their annual protest against the Jewish state.
The protest occurs this year shortly before the country's elections, which will be held on the 9th.
Anonymous, if you remember them, has been involved with Op Israel since 2013,
and the activity amounts at this point to online protest, not really having risen above a nuisance level.
Over the weekend, Gavin DeBecker, security advisor to Amazon founder Jeff Bezos,
published the conclusions of his investigation of the selfie hacking dispute with the National Enquirer's owner, AMI.
Mr. Bezos disclosed the matter with his now-famous, and if we might say so without an unseemly
breach of objectivity, disarmingly witty blog post, No Thank You, Mr. Pecker, in which he
declined to negotiate with the National Enquirer over the publication or suppression of the
ritualistic courtship images of Mr. Bezos they somehow obtained.
Mr. DeBecker summarizes his conclusion as follows,
quote,
Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos' phone and gained private information.
As of today, it is unclear to what degree, if any, AMI was aware of the details.
The evidence he cites is admittedly circumstantial, but he and others think it compelling.
Thus, attribution of the link to Mr. Bezos' boyfriend-in-law, Michael Sanchez,
may have been more wolfmeat or red herring than definitive explanation.
The Saudis' presumed motive is retaliation for Washington
Post reporting on the murder of Jamal Khashoggi in the Saudi consulate in Istanbul. Mr. Bezos,
of course, has had a controlling interest in the Post for some time.
De Becker's investigation didn't name any vendors, but media speculation immediately
turned to NSO Group, controversial provider of lawful intercept products to a number of governments.
NSO Group preemptively issued a denial of involvement, stressing that its products are designed not to intercept U.S. phone traffic and insisting that they do appropriate target validation.
More will surely emerge over time, but again, we'll leave you with this advice.
When courting, just send flowers.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
We'll see you next time. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Professor Awais Rashid.
He's a professor of cybersecurity at the University of Bristol.
Awais, it's great to have you back.
We wanted to talk today about dealing with cybersecurity at the University of Bristol. Weiss, it's great to have you back. We wanted to talk
today about dealing with cybersecurity at scale and specifically, how do you go about training
people to function in that environment? What do you have to share with us? I think the problem
is that we are building increasingly more and more complex systems. If you look at, depending on
whichever estimate do you believe, you believe, there are going to be
something like 25 to 50 billion connected devices around the world in the next five to six years.
And there are also all sorts of estimates that global data traffic, for example, will reach an
access of 270 exabytes a month over the same period. And potentially a lot of this will
filter through these various connected systems and devices.
So the problem is that we are actually going to see systems and infrastructures at a scale that we have never really encountered before.
We know how to deal with reasonable scale systems, but they're often in the control of a single organization.
If you think about a smart city where a number of different stakeholders come together to provide a range of services,
and then as a user,
you're walking through the city
and then interfacing with these services.
So there aren't really always fixed boundaries
of who is coming into contact with whom
and potentially both malicious
and non-malicious actors
actually operating in that kind of environment.
So we are seeing a scale of complexity
and connectivity that we haven't a scale of complexity and connectivity that
we haven't seen before. And the challenge that becomes is that it also is reflected in the scale
of attacks and their impact. So you can think of potentially an attacker compromising smart
refrigeration across an entire city, overloading the power grid and hence disrupting an essential
service, and then you can foresee the impact of that. And that's really what I mean when I say that we need to sort of tackle security at scale, because what we see currently
is that a lot of systems are designed with smaller scale systems in mind. And when they
are tried to scale up to these kind of large scale environments, they don't necessarily scale.
Yeah, it's interesting. You know, I think about people say, you know, when you have a big problem
in front of you, try to break it down into some smaller pieces and you can address those one at a time. And I wonder if that's even a
possibility for some of these large installations. You're absolutely right. It's not so much that you
don't want to break the problem into smaller portions. I think if you start by saying you are
going to design something, let's say an intrusion detection system for a much smaller
scale environment, then you don't really consider the requirements and constraints and the complexities
that come from this large scale setting. And what we ought to be doing is we ought to be teaching
people and training people, whether in universities or industry, to start from looking at these kind
of large scale problems so that they understand where the challenges come from and then situate their thinking into those kind of problems.
Because ultimately, that is how we will address some of the skills gaps that we have by training
people to think this way.
Because at the moment, we say to them, well, do this thing for a small scale system and
then try to scale it out.
And my own experience is that when people first encounter these kind of systems, they
go, oh, my goodness, these are on a scale that i never thought about and we need to invert that
perspective we need to get people to think first and foremost about these large-scale problems
so that they understand the requirements and constraints and that then informs their thinking
and then you can of course you know break down the issue into smaller problems because you will have
different elements of the problem but as long as those top level requirements and constraints and
challenges remain at the forefront of your thinking, then that would be particularly important.
A key element, of course, of that is that because we build these large-scale infrastructures,
and we always talk about security by design and privacy by design, we also have to think about
that these infrastructures are going to remain in operation for a very long time. So we have to
think about how do we deal with security of data and information, not as it has been created, but all across the lifetime of the
system. As attack scenarios change, new types of technologies may come online. And when at some
point you have to decommission the system, what do you do? And all these considerations need to
come into play, but we don't necessarily think of them up front. And that's why we see a lot of the problems we see today.
Yeah, that's interesting insight.
Awais Rashid, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow.
Thank you.