CyberWire Daily - Russia's phishing for nuclear power plants. NATO offers aid to Ukraine. Election hacking updates. M&A and venture news. Crime, punishment, and cryptocurrency.
Episode Date: July 11, 2017In today's podcast we hear about how Russia has apparently been phishing in the North American and European power grid. NATO has had about enough of that. There will be no US-Russian joint cybersec...urity effort. The Adwin RAT is back, and seeking to socially engineer its way into aerospace company networks. Election hacking investigation updates. Industry notes, including both venture and M&A news. Level 3 Communications' Dale Drew provides an update on botnets. Ntrepid's Lance Cottrell describes online ad tracking technology. And BYOD can pose a threat, especially when the device your rogue employees are bringing is an off-the-books server. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Russia goes fishing in the North American and European power grid.
NATO has had about enough of that.
There will be no U.S.-Russian joint cybersecurity effort.
The Adwin rat is back and seeking to socially engineer its way into aerospace company networks.
We've got some election hacking investigation updates, industry notes including both venture and M&A news.
And BYOD can pose a threat, especially when the device your rogue employees are bringing is an off-the-book server.
I'm Dave Bittner in Baltimore with your CyberWire summary for Tuesday, July 11, 2017.
More on the cyber attempt on the U.S. energy sector has come to light.
It was apparently a phishing campaign mounted mounted from Russia, and without effect on operational systems. Nonetheless, members of the U.S. Congress are expressing concern and demanding explanations. Energy Wire reports that the campaign has been in
progress since May, and that the attackers are drawing from the Ukraine playbook,
that is, the complex attacks used to take down sections of the Ukrainian grid
twice since late 2015.
Europe is seeing similar probes of its critical infrastructure, and authorities and experts
there, too, suspect Russia.
Actually getting into power plant operational systems isn't trivial, but it's not impossible
either.
Observers note that phishing is one obvious attack method, but so are malware-laden
USB drives and either malicious or compromised insiders. Those latter two approaches would
overcome the air-gapping in which so many industrial operations place so much confidence.
Robert Hannigan, former head of the UK's GCHQ, told the BBC that, quote,
there is a disproportionate amount of mayhem in cyberspace coming from Russia,
from state activity, end quote,
and that this may be deterred only through retaliation.
NATO has announced that it's providing Ukraine with a range of cyber capabilities
to aid that country in the hybrid war Russia is waging in the Donbass and elsewhere.
In a joint press conference with Ukrainian
President Poroshenko, NATO Secretary General Stoltenberg said the Atlantic Alliance was
providing Ukraine with the means to investigate the cyberattacks it sustained. The alliance has
also told Russia that it wants Russian troops out of Ukraine. U.S. sanctions are expected to
stay in place as long as the Russian occupation of Crimea continues.
The very short-lived glimmer of international cooperation, confidence-building, and detente that twinkled on Sunday went out in less than 13 hours,
as measured in U.S. President Trump's tweets on the possibility of easing tension in cyberspace.
There will be no joint U.S.-Russian effort to shore up cybersecurity. President
Trump's account of his meeting with President Putin said he pressed the Russian leader on
election hacking, and in any case, Congress is unlikely to find itself in the mood for any reset
in relations, still less any detente. In the U.S., various investigations into Russian election
hacking and the fallout therefrom continue. President Trump's son will testify before Congress concerning campaign season contacts from Russian actors
who said they had discreditable information on Democratic candidate Clinton.
And it appears that former FBI Director Comey's private memoranda of conversations with President Trump
may have contained improperly classified information.
with President Trump may have contained improperly classified information.
We turn with some relief to more ordinary cybercrime and a mix of industry news.
Trend Micro warns that a spam campaign pushing the cross-platform remote-access Trojan Adwind is in progress.
This time around, the rat is for the most part snuffling around the aerospace industry,
with targets in Switzerland, Ukraine, Austria, and the U.S.
Trend Micro notes that social engineering is an important part of its approach.
Several significant bits of industry news are breaking.
Darktrace has raised $75 million for a just-shy-of-unicorn valuation of $825 million.
Darktrace has shown considerable ability to penetrate the lucrative
U.S. market, and it also announced early today that it had concluded a strategic partnership
with managed security services provider CITIC Telecom CPC to gain traction in Asia and the
Pacific. RiskLens has secured $5 million in Series A funding. The equity investment was led by Osage Venture Partners,
with participation by Paladin Capital, Dell Technologies Capital, and Kickstart.
High Trust has also raised money, some $36 million in Series E funding from Advance Venture Partners,
and has acquired Data Gravity for its data security solutions capability.
Symantec has bought SkyCure as a mobile security play. and has acquired DataGravity for its data security solutions capability.
Symantec has bought SkyCure as a mobile security play.
Along with last week's acquisition of FireGlass, a browser isolation shop,
the SkyCure acquisition is expected to enhance Symantec's position in the endpoint protection markets.
Finally, StarHub has announced that it will fully acquire cybersecurity firm ASEL for 26 million Singapore dollars. The Singapore telco already owned 51% of ASEL. Now it will have the
whole shebang. Returning from commerce to crime and punishment, the former head of Bitcoin exchange
Mt. Gox is about to go on trial on charges of embezzlement. Cryptocurrency traders and users hope the trial will have a clearing, salutary effect on the market.
But cryptocurrencies are affording opportunities for crime elsewhere.
The South Korean exchange BitThumb, whose hacking we've been following,
didn't suffer embezzlement, but it did sustain a breach of customer information
apparently traceable to
BYOD gone bad. An employee's computer appears to have been compromised, which then opened the door
to compromise. And in Italy, according to Darktrace, a bank's servers were used in a
Bitcoin mining scheme. This one involved BYOD with a vengeance. BYOS, bring your own servers.
As employees took advantage of electrical power and cooling systems in data centers I'm David Smith. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, Thank you. That's vanta.com slash cyber for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son. But her maternal instincts take a wild and surreal turn And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. And joining me once again is Dale Drew. He's the
Chief Security Officer at Level 3 Communications. Dale, welcome back. You know, we have, certainly
we've had a lot of news about botnets, and that's something that you all have to deal with when they occur.
Let's talk about botnets.
Where do you see things headed as we look towards the horizon?
We're seeing sort of an evolution of botnets.
Not only are they becoming much more commoditized, and not only are they able to make much more money for the actual bad guys themselves,
and the bad guys have really sort of been able to rent botnets out to consumers at a much faster rate and faster scale.
But we're seeing technology inside the botnet evolving to really avoid detection.
The two things that we're seeing from a botnet evolution perspective is, or three things I would say.
We're seeing bad guys take different components of botnet technology that's been released in the wild and sort of plug that stuff in together.
WannaCry is a great example of people taking different piece parts and components of different botnets. One is an IP address scanning algorithm, and one is a disk encryption algorithm,
and one is a drop deployment and infection algorithm.
And they put all that stuff together
and then create something new as a result
using old piece parts.
But we're also seeing some of the core botnet developers
getting more sophisticated.
And so two trends that really worry us are the use of peer-to-peer and the use of Tor.
And so WannaCry, again, is a good example of Tor,
where the bad guy's communication with the command and control infrastructure was over the Tor network.
And so anyone watching the sort of internet network, the backbone infrastructure,
lost that visibility because all you saw was
traffic going into a Tor entry node and out of a Tor exit node. There's a lot of mechanisms to be
able to track that activity, but the security community really needs to orient its attention
in the Tor space. And then the other one is peer-to-peer. And peer-to-peer is scary because
every node becomes a botnet node, and every node
becomes a command and control system. You can no longer just cut off the head of a piece of
infrastructure anymore. You now have to shut down the entire infrastructure before you have any
effect on that botnet's effectiveness. Is there any sense that there's a growing
sophistication in the types of devices that the botnet wranglers are bringing into the botnets?
I'd say, you know, with the bad guys and especially the organized crime and the nation state bad guys, what they're really interested in is two things.
They're interested in scale.
They're focusing attention on two primary things.
One is protocols that have a deep entrenchment in the internet.
And so anything that they can find, SMB is a great example. DNS is a great example of,
you know, any protocol that has a rich history and a deep entrenchment capability inside the
internet, they want to take advantage of those protocols because of the massive amount of scale
they instantly have access to
and the level of difficulty to repair those sorts of protocols that have such a long life.
The other one is devices from a scale perspective. So the reason why Internet of Things is so popular
is one exposure is essentially the same exposure for every single same class of device,
that IoT device. And so if they can find a single exposure that doesn't have the nuance of being slightly patched over here
or have an antivirus control over there or an intrusion detection capability over there,
if they know that same exposure will uniformly work across a large scale of devices,
those are the sorts of devices they're going after.
Dale Drew, thanks for joining us.
Now I'd like to tell you about some research from our sponsor, DeltaRisk.
We all depend on the power grid.
You've heard a lot over the last few months about the grid's vulnerability.
Crash Override, in particular, threw a scare into the energy distribution sector.
It's a real threat, and its masters demonstrated what they can do last December in Ukraine. Thank you. Power Grid works, an overview of current regulations, and a look at potential cyber threats.
You'll find the guide at delta risk.com slash grid hyphen white paper. Delta Risk LLC,
a Chertoff Group company, is a global provider of strategic advice, cybersecurity, and risk
management services to commercial and government clients. Learn more about Delta Risk by visiting
delta risk.com.
And while you're there, get that guide to cybersecurity for the grid.
It's DeltaRisk.com slash grid hyphen white paper.
And we thank DeltaRisk for sponsoring our show. Anyone who does any amount of browsing online is quick to notice that advertisers are tracking you,
popping up ads for products you may have been browsing or even just searching for online.
Lance Cottrell is chief scientist at Entrepid,
and he joins us to offer some insights on online ads and the technology behind them.
Advertising has really started to turn up everywhere and get very aggressive about the
kinds and amount of information they're keeping track of. Just because you visit some particular
website doesn't mean you want information about that forever. And if I happen to be going to a
site looking up hemorrhoids or something embarrassing, and then I'm later using a web browser with someone looking over my shoulder and all the ads along the side of the browser are for hemorrhoids, that's awkward and weird.
And there's no way for me to go for a friend that was whatever.
You know, it's it's annoying.
There seems to be this ongoing developing arms race between the browsers and the people who make plug-ins for browsers.
And we just had an announcement from Apple at their developer event that they're enhancing their Safari browser with something they're calling intelligence tracking prevention.
Right.
So what they're trying to do is reduce the ability for third parties to be
tracking you as you move around the Internet. So first parties are the people you're actually
connecting to. So if you go to a Web site, they often need cookies to make the Web site work.
And they may, in fact, be using tools from second parties. So if they're using Google Analytics to
track their own Web site or if they've got other things to manage fraud on their website, those are second parties. Third parties are the
advertisers that are going through networks onto your websites that you're visiting. And that's
where the concern comes up, because now it's not just someone tracking your activities on that one
website, but it's about the ability to track you across the entire internet. Every
page you go to, realistically, these days, will have a Google ad tracker built into it.
And that's how they get this ubiquitous view. For a long time, browsers have had the ability
to block third-party cookies. So you can go in there. In fact, most of them, by default now,
don't allow someone who's not
directly involved in your interaction with the website to set these kinds of trackers.
And very quickly, the advertisers adapted. So they now have tools to get around that and track you
anyway. So Apple is sort of taking the next step in that arms race to try to stop that kind of circumvention. And so they're building
smart tools to try to recognize when that's going to happen and shut that down again. But this is a
very active arms race. And while consumers are somewhat interested in stopping this and express
it often, but don't do much about it, the advertisers are hugely motivated to do this
kind of tracking. So I suspect that any gains that Apple creates with the tools like this will be quickly undone by the advertising, marketing and tracking companies that are so motivated to maintain that ability.
And you make the point that this might give people a false sense of security.
Exactly. Like incognito mode in the browser, people turn on
something like this and think, oh, okay, now I'm not being tracked. But the things that these
browsers address is only a small fraction of the kinds of tracking that take place. So they can
prevent, say, cookies from being implanted on your browser. But at the same time, your computer's
address, your IP address, will often uniquely identify you or at the same time, your computer's address, your IP address will often
uniquely identify you or at least your household or your business on the Internet. And in fact,
almost every browser has a unique fingerprint. The combination of all the plugins, all the fonts,
all the character sets, all the preferences, the size of the monitor, all of that goes together.
And you think that's not that much. But actually combined, it makes you unique, the only visitor to most websites you visit with that
exact fingerprint. And that allows these people to reapply the cookies to you, retract you.
And of course, that's advertisers, that's corporations, but that's also governments,
hackers, someone who wants to attack you. Anyone can use these tools and do.
And so what's to be done if I want to have a reasonable amount of privacy? What are some of
the steps I can take to do that? I think the first step is being very judicious about what you share,
right? When you're using these social media platforms, I think we need to go in with the
there is no privacy on these platforms kind of attitude. You can set which of your friends see things, but we just have to assume that
everything we do is on a postcard and take care
with not sharing it in the first place. My general axiom
is that data is a toxic asset. If it exists, it's a problem
and it will get out, it will leak. You just have to assume. At some point, your
ISP is going to get hacked or your email will get exposed or your computer will get compromised and you'll get doxxed.
If embarrassing stuff exists, there's always a chance that it can get out there.
So the first key is just being very judicious about what you create and making sure that you keep as little as you need to for as short a time as you need to.
you need to for as short a time as you need to. And then, you know, if you want to do something that requires privacy, that is an issue, make sure that you use tools. You use their specific
anonymity tools. We build a tool called Anonymizer. There's things like Tor that are out there that
you can use. Use those with care for just that purpose and then clean it out and go back to your normal activities.
It's not easy to combine both.
That's Lance Cottrell from Intrepid.
Cyber threats are evolving every second, and staying ahead is more than just a challenge
it's a necessity that's why we're thrilled to partner with threat locker a cyber security
solution trusted by businesses worldwide threat locker is a full suite of solutions designed to
give you total control stopping unauthorized applications securing sensitive data and Thank you. And that's The Cyber Wire.
We are proudly produced in Maryland by our talented team of editors and producers.
I'm Dave Bittner. Thanks for listening. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com