CyberWire Daily - Ripple20 flaws in the IoT supply chain. Operation In(ter)ception looks for intelligence, and cash, too. Sino-Indian tensions. A look at Secondary Infektion. How not to influence reviewers.
Episode Date: June 17, 2020Ripple20 vulnerabilities are reported in the IoT software supply chain. North Korean operators go for intelligence, but also for cash, and they’re phishing in LinkedIn’s pond. Sino-Indian tensions... find expression in cyberspace. A long look at the Russian influence operation, Secondary Infektion. Joe Carrigan from JHU ISI on why older adults share more misinformation online. Our guest Will LaSala from OneSpan tracks the increase in online banking fraud during COVID-19. And the strange case of the bloggers who angered eBay may have more indictments on the way. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/117 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Your business
needs AI solutions that are
not only ambitious, but also practical
and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.
Ripple 20 vulnerabilities are reported in the IoT software supply chain.
North Korean operators go for intelligence, but also for cash, and they're fishing in LinkedIn's pond.
Sino-Indian tensions find expression in cyberspace.
A long look at the Russian influence operations, secondary infection.
Al-Qaeda is back and asking its adherents to consider E-Jihad. Joe Kerrigan
from Johns Hopkins University Information Security Institute on why older adults share more
misinformation online. Our guest Will LaSala from OneSpan tracks the increase in online banking
fraud during COVID-19 and the strange case of the bloggers who angered eBay may have more indictments
on the way.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday,
June 17, 2020. The Israeli security firm JSOF reports the discovery of 19 zero-days,
collectively called Ripple 20, that afflict the Internet of Things software supply chain.
Their flaws in software that handles the TCP IP protocol and the low-level TCP as Wired observes, that software is at the beginning of a long and complicated supply chain through which
vulnerabilities propagate in difficult-to-control ways. The research team says that, quote,
affected vendors range from one-person boutique shops to Fortune 500 multinational corporations,
including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter,
as well as many other major international vendors suspected of being vulnerable in medical,
transportation, industrial control, enterprise, energy, telecom, retail and commerce, and other
industries, end quote. The U.S. Cybersecurity and Infrastructure Security Agency, CISA, looked at the bugs and rated six of them as scoring between 7 and 10 on the CVSS scale, where 10 is the most severe.
CISA recommended that users take steps to minimize the risk of exploitation, including placing vulnerable devices behind firewalls and removing connections to the public Internet.
Such mitigations may be easier recommended
than accomplished. JSOF began quietly disclosing the vulnerabilities to vendors back in February,
and many of them have already been patched. But IoT devices are notoriously easy to overlook,
and in any case, a lot of the buggy code may still be undetected.
The security company ESET describes a North Korean campaign
of targeted attacks against European defense and aerospace companies. They call it Operation
Interception, and it has two purposes, espionage and financially motivated business email compromise.
Pyongyang's operators start with LinkedIn, proffering meretricious job offers to workers at selected companies.
They seek to develop relationships into sources of information.
They also, in some cases, work to compromise their email accounts in order to induce companies to fall for fraudulent fund transfer requests.
This is consistent both with North Korea's intelligence requirements and its chronic need for cash.
Border skirmishes with China have moved India's government to a higher state of alert,
both kinetic and cyber, the Economic Times reports.
The Hindustan Times outlines one aspect of that alert.
Publication of the National Security Council's secretariat's list of 52 apps
it finds too close to the Chinese government for comfort.
Some of the apps are well-known and widely used.
Zoom and TikTok, to name two, are both on the list.
India's intelligence services would ideally like to see the 52 suspect apps blocked.
Grafika has published a new study of secondary infection,
the Russian disinformation operation.
The report concludes that secondary infection has been in continuous operation since 2014 and that it's run by a single unidentified controlling agency
and that it's been relatively quiet, at least compared to the noisier operations of the GRU
and the troll-farming Internet Research Agency.
Grafika gives the operation high marks for security, which can be attributed in part to secondary infections'
tendency to prefer short-lived, often single-post blogs, single-use burners to social media,
where coordinated inauthenticity would be easier to spot. But it's not clear how effective the operation has been.
Its posts have a record of low engagement rates. They made unusually heavy use of forged documents,
and their linguistic capabilities have been uneven, to say the least. The French, German,
and English they use are poor, and marked by the usual stigmata of a non-native speaker with roots in a Slavic language,
poor grasp of the idiomatic use of articles, uncertainty about case, especially the genitive,
eccentric word order, and, in French and German, trouble handling grammatical gender.
Think of the diction one finds in an easily recognized fishing attempt.
With respect to English, at least, the Kremlin has linguists who could do much better.
Secondary infection stuff reads like bad North Korean agitprop.
It's not even the playfully mangled language of the old shadow brokers,
with a wink and a nudge.
The brokers always achieved a wacky kind of lyricism that any fair-minded person would appreciate.
This stuff is just poorly executed.
Here's an example, an attack against the Atlantic Council's Digital Forensics Research Lab,
which outed secondary infection last year.
Quote,
Yes, the forensic experts were wrong about almost everything,
but they thought the existence and spread of a different opinion from their employees
was a serious threat, and devil take it, that
tickles my pride. End quote. Devil take it indeed, and if we may say so, the Atlantic Council's DFR
lab should wear that as a badge of honor. In any case, Grafica finds nine themes that have
dominated secondary infections output since its inception. Ukraine as a failed or unreliable state,
output since its inception, Ukraine as a failed or unreliable state, U.S. and NATO aggression or interference in other countries, European divisions and weakness, elections, especially in the United
States, United Kingdom and France, migration and Islam, Russia's doping scandals and various sports
competitions, Turkey as an aggressive destabilizing power, defending Russia and its government,
and insulting Kremlin critics, including Alexei Navalny and Angela Merkel.
These are often supported with implausible forgeries.
Many of the topics suggest that secondary infection's work was, if not directed toward, at least imaginatively dominated by a Russian domestic audience.
Secondary infection is not, as several headlines
have suggested, a newly discovered operation, as Grafika explains. Facebook flagged the operation
as Coordinated Inauthentic Behavior in May 2019, although not under the secondary infection name,
and the Atlantic Council described and named it last June. So what's new in Grafika's report?
It's the extensive catalog of secondary infections works.
And reading through them teaches again the lesson that OPSEC by itself isn't enough for
efficacy.
We may not know which sub-directorate in which Russian service ran these messages, but how
much does that really matter in the long run?
Again, Moscow has groups like Fancy Bear and the Internet Research Agency
who've shown they can do much better.
Grafika does have one quietly interesting suggestion.
Looking at the very low engagement rates secondary infections output produced,
they suggest that maybe the operators were paid for output, not reach.
So, as a famous Russian thought leader once remarked,
quantity has a quality all its own,
and we'll add that in this case, the quality was pretty bad.
It's well known that the folks out there who are up to no good online
have taken the COVID-19 crisis as an opportunity,
using the uncertainty as a way to take advantage of the unprepared or unprotected.
Will LaSala is director of security solutions at OneSpan,
where they've been tracking an increase in online banking fraud during COVID-19.
So I think the main thing that you see with the pandemic,
so before the pandemic, fraud was kind of steadily rising.
People were starting to make the change gradually to digitization.
In other words, using digital processes.
You were getting to a point where there were some people that were remote, that kind of thing.
But then the pandemic started, and it was a mad rush for everybody to embrace the digital world that we live in, more so than the banking industry.
more so than the banking industry.
Yeah, I mean, I guess I hadn't really considered that, you know, in this age of online banking and slinging money around via our mobile devices, that there are still a lot of functions of
day-to-day banking that traditionally, and I guess to this day, have taken place face-to-face.
Yeah, exactly.
I mean, think about, so the older generation, the older generation. So I think I'm probably an
older generation person too, but the people even older than us, they typically do their banking
kind of in a face-to-face aspect. So they're still writing paper checks. They're still going
into the branch offices and we're interacting with tellers. So all of a sudden, they can't do that anymore.
What do they do?
So they're not going to gravitate to a mobile phone like the younger generation did.
They're going to pick up the phone and call call centers.
And so call centers were completely overrun.
And not just that, but think about the hackers now.
So if you've got everybody calling in there and you're a hacker
and you impersonate someone else,
how do you prove that user? And so you saw all kinds of fraud on some of these more traditional channels that you wouldn't even think of normally. Are you tracking any differences between the size
of the institutions? I guess I'm wondering, does that local community bank have any advantage by
being nimble or does the big nationwide bank have the advantage of having so many resources behind them?
You know, it's interesting.
So the smaller banks are actually having a harder time of it because a lot of the times
they are more of a friendly bank.
So you want to go in and transact with them.
They do most of their business in person versus online, whereas a
big bank, most stuff is done online. We also have to think internally of the employees of those
banks. When they needed to do work, the small banks, they immediately, everybody started working
from home. Pretty much 90, 95% of the people that were employed at the bank started working from
home versus the large banks it was exactly the opposite
so maybe only about 10 or 15 percent of the bank worked from home and the rest of the bank was
still in the offices still kind of going from there and that also had to do with how quickly
they can get security components in place so moving to mobile authenticators that could
generate a mobile password uh and and getting those out to the workforce that could generate a mobile password and getting those
out to the workforce. That was also a big kind of shocking difference between the small and big
banks. That's Will Lasala from OneSpan. And finally, indictments in the case of the former
eBayers, the people who allegedly executed a campaign of harassment against two bloggers
whose negative reviews and the comments those reviews attracted
vexed some numeros at the online marketplace may not be complete. Apparently, the six people so
far indicted may not be the last. The U.S. attorney prosecuting told CBS News that the investigation
was active and ongoing. Are there lessons here? Yes, indeed. Some of them are platitudes.
You catch more flies with sugar than vinegar, for example,
or in this case with pig masks, porn, or live cockroaches.
Corporate communications, PR consultants, corporate councils, and security teams
could all learn a great deal from this strange story.
Blake's so worried about my sister. story. Starring Kaley Cuoco and Chris Messina. The only investigating I'm doing these days is who shit their pants.
Killer message to you yesterday?
This is so dangerous. I gotta get out of this.
Based on a true story.
New season Mondays at 9 Eastern and Pacific.
Only on W.
Stream on Stack TV.
And now, a message from our sponsor, Zscaler.
The leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever
with AI tools. It's time
to rethink your security.
Zscaler Zero Trust plus
AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific
apps, not the entire network,
continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected. Thank you. Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout.
The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout.
That's joindeleteme.com slash n2K, code N2K.
And joining me once again is Joe Kerrigan.
He is from the Johns Hopkins University Information Security Institute,
also my co-host over on the Hacking Humans podcast.
Joe, great to have you back.
Hi, Dave.
Interesting story came by from the MIT Technology Review, and it's titled,
Older Users Share More Misinformation. Your Guess Why Might Be Wrong. What's going on here, Joe?
That's right. This is actually research from a postdoc at Harvard named Nadia Brashear,
and Dr. Brashear has done some work here and found out that there are some stereotypes about older people as to why they might share more misinformation on social media.
Now, they do share more misinformation.
That's pretty clear.
But the reason why, people might say it's because they are suffering some kind of cognitive decline because they're older and they might
be lonely.
Those are the two reasons that people seem to think that older people might do this.
But they are not valid reasons as to why this is happening, according to Dr. Brashear's
research.
And what she said was that recollection will decline with age, but our ability to process
and understand information
remains the same as we get older.
And in general, knowledge improves,
which is one of the things that we've talked about before,
both on Hacking Humans and I think here on this show,
is that older people are actually less likely
to fall for a scam than younger people are,
probably because of their experience with the world
and they don't forget.
Their cynical approach, they've been burned world. And they don't forget. Their cynical approach.
They've been burned before.
Right, yeah.
Exactly.
And they just know, oh, this is BS.
I'm not falling for this. But it's not because of a decline in cognitive abilities at all.
That's really not what's happening.
And the other reason is loneliness.
Older adults are not the loneliest age group.
In fact, it's a complex relationship, according to another paper that she cites in her paper,
that says it kind of fluctuates across time, peaking in late 20s, mid 50s, and late 80s.
So in general, no, they're not the oldest.
There is something that she points to,
which I think is actually interesting. This article talks about the fact check. Social
media platforms often rely on fact checks to show that this information is either not correct,
right? So you might see a label that says this information is false on it.
And that label ironically increases older adults' belief in the claim later.
And that actually stems from another study that was done by Ian Skernick, Carolyn Yoon, Denise Park, and Norbert Schwartz that says that telling people that a consumer claim is false can actually make
them misremember it is true. And they conducted some experiments on this. So that might be one
of the reasons that when they see false on a statement, they're misremembering it is true.
Interesting. Just the highlighting of the statement at all, I guess, gets perhaps
miscategorized. Yeah, yeah. Interesting, interesting.
I still think that social media is not a valid platform for political discussion.
I just don't think it's, I'm still going to say that. Even today, when there's a lot of stuff
happening on social media, I just don't think that it is a, that anything constructive happens
on there. I've actually uninstalled all my social media apps from my phone for the sake of my own mental health.
I haven't yet closed my accounts.
I've just stopped looking at them as much.
Yeah.
There's an interesting thing they note in this article in the MIT Technology Review.
They say that in addition to having less familiarity with social platforms than younger generations,
older adults tend to have fewer people on the edges of their social spheres
and tend to trust the people they do know more.
That's right.
Which I suppose leads to being more in a bubble, more of an echo chamber.
Yeah, absolutely.
And that's actually my biggest problem with social media is that you are in an echo chamber.
And it's probably targeting the
older people more. I'm going to have to read the paper that Dr. Brashear has written because,
and I've printed it out. I got it right here, actually. I'm about to go sit down and read it
because this sounds interesting to me. I'm very interested in it. Dr. Brashear is actually a
cognitive scientist. And I think we need more cognitive scientists and psychologists and maybe sociologists even
in this field, in the cybersecurity field,
doing research on this.
I think that would provide valuable insight
to the way people conduct themselves.
Yeah, no, it's an interesting article.
It's from the MIT Technology Review
titled Older Users Share More Misinformation.
Your guess why might be wrong.
Joe Kerrigan, as always, thanks for joining us.
It's my pleasure, Dave.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Vaughn,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Thanks for listening.
We'll see you back here tomorrow. Thank you. trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can
keep your company safe and compliant.