CyberWire Daily - Reaper botnet looming, but not yet landed. CyCon phishing. How to troll for influence.
Episode Date: October 23, 2017In today's podcast, we share some notes on active malware campaigns, and a warning to be on the lookout for the Reaper botnet, which hasn't yet realized its disruptive potential. Kaspersky opens its s...ource code to independent review, to show it's got nothing to hide. Fancy Bear is phishing for you if you plan to attend CyCon. The difficulty of recognizing trolls, and the dangers of innocent posts getting badly lost in translation. A quick note about the ICS Security Conference. Dale Drew from Level 3 Communications on managing the security of the supply chain. And looking for lulz in all the wrong places. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
We've got notes on active malware campaigns
and a warning to be on the lookout for the Reaper botnet,
which hasn't yet realized its disruptive potential.
Kaspersky opens its source code to independent review to show it's got nothing to hide.
Fancy Bear is fishing for you if you plan to attend PsyCon. The difficulty of recognizing
trolls and the dangers of innocent posts getting badly lost in translation. A quick note about
the ICS security conference and looking for lulls in all the wrong places.
conference and looking for lulls in all the wrong places.
I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, October 23, 2017.
We begin with a few quick warnings.
Two active malware campaigns bear watching in the wild.
macOS Proton backdoors are being distributed through trojanized Elmedia players,
and the Magnebur ransomware strain continues its geo-focused circulation through East Asia.
Security experts are still waiting for the Reaper IoT botnet storm to hit. It's also called IoTroop. Many think the distributed denial-of-service campaign Reaper appears being readied for may dwarf Mirai's.
Kaspersky Lab has offered a counter to the U.S. government's ejection of the company's software from federal networks.
Kaspersky is offering, under the slogan,
Don't just take our word for it, see everything for yourself,
a global transparency initiative in which the company is offering up its source code for independent public inspection.
This will allay some of the more lurid claims that the company's software is engineered as a reconnaissance tool
for exploitation by Russian intelligence services.
But it's unlikely to assuage concerns that the exploitation and compromise users fear wouldn't be possible in some other form.
Still, it's difficult to see what else Kaspersky could offer.
Non-governmental users of the security software seem to be following the U.S. government's lead.
Fancy Bear, also known as APT28 or, to name it directly, Russia's GRU, is snuffling around,
people thinking about attending next month's PsyCon conference in Washington, D.C.
Sponsored jointly by the U.S. Army Cyber Institute and NATO's Cooperative Cyber Defense Center of Excellence,
this year the well-known conference takes the future of cyber conflict as its theme.
Fancy Bear is fishing for prospective attendees with a baited Word document that carries said uploader as its payload.
Said uploader is a reconnaissance tool useful in determining which targets deserve closer attention.
The fishbait document, a cut-and-paste job designed to look like an event flyer,
is conferenceoncyberconflict.doc.
Stay away from it and the malicious macro it contains.
Stay away from it and the malicious macro it contains.
A Twitter executive was apparently successfully trolled by Russian influence operators in 2016,
induced to retweet positive stories from a bogus Black Lives Matter activist.
Twitter CEO Jack Dorsey is said to have retweeted posts from a St. Petersburg troll factory in early 2016.
Observers take the incident as a cautionary tale of how grooming influencers works.
It's little different from the ways in which unwitting agents of influence have always been cultivated.
Start small and start innocent, in this case with tweets about how
Rihanna collects her Humanitarian of the Year award from Harvard,
who, after all, could object to that.
her Humanitarian of the Year award from Harvard,
who, after all, could object to that.
Before everyone piles on to Mr. Dorsey as the naivest kind of sap and stooge,
consider a couple of points.
First, he's believed to have retweeted
precisely two tweets from the trolls,
both of them entirely anodyne, harmless,
the sort of thing anyone who notices pop music,
or Harvard, for that matter,
might have retweeted or liked.
Second, few bother to look closely at the sources of social media posts they find interesting,
and in this case the Russian troll farm had been at pains to conceal its identity.
So we invite anyone who hasn't casually shared some innocent news over social media to cast
the first stone.
It's become clear that where influence operations are concerned,
lies require a bodyguard of truth, and the vicious will stand unobtrusively amid a crowd
of the virtuous. It's a bit like the way the devil is said to be able to appear in the guise
of an angel of light. It's also becoming clear that hopes for salvation through artificial
intelligence are premature at best, if not actually impossible
in principle. This is not to say that AI isn't useful and won't form an indispensable part of
technology's future, but AI is not the philosopher's stone, whatever the alchemists of Mountain View
and Cupertino might lead one to believe. Consider the difficulties Facebook has been seen to have
with selling ads to Russian influence operators
and others they'd rather not be associated with.
It's a tough problem that's induced the company to open positions for a large number of human analysts.
And the limitations in the state of the natural language processing art were on display this week in Israel.
Haaretz reports that Israeli police arrested a Palestinian man for suspicion
of incitement. The suspect in question seems entirely innocent. A construction worker,
he posted a photo of himself leaning against a bulldozer and holding a cup of coffee and
a cigarette. His caption was a simple, good morning. But Facebook's algorithms rendered
the Arabic greeting as attack them in Hebrew and hurt them in English.
We've got our people down in Atlanta this week
for the annual ICS Security Conference that began today.
The event, which serves energy, utility, chemical, transportation,
manufacturing, and other industrial and critical infrastructure organizations,
focuses on the distinctive challenges of securing industrial control systems, ICS.
The conference opens just after U.S. authorities warn that the Dragonfly Threat Group, also
known as Energetic Bear, is actively engaged in spearfishing operations against utilities,
principally electrical power organizations.
The campaign appears to be in its reconnaissance phase.
A similar warning was delivered last week in Belfast by Kieran Martin,
head of GCHQ's National Cyber Security Center,
who said that while the NCSC had successfully blocked attempts to penetrate North Ireland's grid,
the attackers could be expected to return.
grid, the attackers could be expected to return. And finally, teenage hacker but legal adult Meet Kumar Hiteshbhai Desai, now 19, was looking for lulls in all the wrong places when he hacked
and shut down 911 services throughout Maricopa, Arizona last year. Master Desai has received
three years probation and he got off lightly. Shutting down 911 is no joke.
We close with a word to our fellow youths out there.
Stay in school, stay away from cybercrime,
and think twice before you think something's funny and harmless.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look
at motherhood and society's expectations,
Academy Award-nominated Amy Adams
stars as a passionate artist
who puts her career on hold to stay home with her young son. But her maternal instincts And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io.
And I'm pleased to be joined once again by Dale Drew. He's the Chief Security Officer at Level
3 Communications. Dale, welcome back. You know, you wanted to make the point today that when it
comes to the supply chain, we've got some real issues here. Yeah, we think that the supply chain management for the average CISO is getting out of control. You know, there was a recent study that said that
the average CISO has to maintain up to 75 separate security vendors just to protect their ecosystem.
And that sort of chaos management and making sure that each of those layers is properly
chaos management and making sure that each of those layers is properly effective and efficient is fairly difficult. And so these are things like your antivirus vendors, your intrusion
detection vendors, your firewall vendors, data protection, governance risk and compliance. I
mean, so it's a pretty broad spectrum. We're also hindered by the fact that vendors are selling
solutions that are based on unknowns.
You're buying a solution from a third party and relying on their expertise.
And so sometimes evaluation of that capability can be difficult by the CISO and their team.
So to sort of prove this point, we operated a web page a while back called Zero Functionality.
And so it was taking advantage of the nomenclature
of zero footprint and zero effort. And so we operated a webpage for a while called Zero
Functionality as a parody site. And so the sort of whole theme of it was, if you want a security
solution with zero effort and zero footprint and zero capability, you should buy Zero Functionality.
and zero footprint, and zero capability, you should buy zero functionality.
We had things like Devin Knoll was the CEO of the company. We had Les Isamore was head of marketing.
MT Suit was our CFO.
Within a week, we sold three solutions.
We had three customers who were interested in that sort of zero effort
in being able to protect their enterprise
that we actually had three people wanting to buy our solution based on an empty PowerPoint presentation
and an empty zip file demo.
So you had actual customers, money in hand, who did not get the joke
and were ready to buy what you were pretending to be selling.
That's absolutely right.
We had people not realizing that this was a parody site, were really sort of attracted to that sort of
zero effort capability of protecting their enterprise because they didn't have the expertise,
came to us, dollar bills in hand, wanted to buy this zero product. Wow. So we think that not only
is the ecosystem complex, even for the most qualified technical team, but it can be a pretty significant, overwhelming experience for organizations that don't have the right expertise.
So some of our recommendations are that when you want to evaluate technology, have a request for information or an RFI in hand for each of the
areas of security technology that you want to review. You can also go to a third party and
have them help you write an RFI. And the RFI should have a list of detailed questions about
what you want to accomplish with that solution, how effective that solution is going to be,
and what its capabilities are. And that gives you sort of an independent sort of peer review across the vendors in that space when you're evaluating solutions.
Go talk to a value-added reseller about the vendors that you're evaluating and ask them about their reputation and about their capabilities.
VARs who resell security solutions are going to have sort of an effectiveness capability and reviews from their other customers
and will be able to provide you some advice and guidance.
We'd also advise that you test that solution in a small deployment, whether it's a test
network or a small piece of your production network, before you commit to buying it to
see if you were to buy it and deploy it, how effective is it going to be so you don't end
up buying a solution purely on a
PowerPoint presentation? And then the last one is, you know, we'd also recommend that you ask the
vendor for references of people who are like in size and like an industry that you are and ask for
their summary of the use of their solution in that company's network. And so you get, again,
a peer review, a like-for-like
review of the same sort of company. These sorts of tools are going to help you make sure that when
you're evaluating a solution, you're not doing it just based on the sales pitch. You're doing it
based on a fairly deep understanding of the capabilities of that solution when you do deploy
it in your network to protect yourself. All right. Pays off to do your homework. Dale Drew, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses
that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your Thank you.