CyberWire Daily - SEC, DoJ, issue civil and criminal complaints against EDGAR hackers. Lazarus Group in Chile? Iran’s Ashiyane Forum. Cryptomix ransomware. Money laundering through Fortnite. Fake WaPo edition.
Episode Date: January 16, 2019In today’s podcast, we hear that the SEC and the Department of Justice are going after EDGAR hackers for securities fraud. Flashpoint sees the Lazarus Group in an attack on Chile’s Redbanc. Recor...ded Future shares notes on Iran’s Ashiyane Forum. Crytpomix ransomware is being distributed by fraudulent charitable appeals. Organized gangs are using Fortnite in-game currency for money laundering. A slickly done bogus edition of the Washington Post was being handed out in DC this morning. Ben Yelin from UMD CHHS on a recent ruling regarding 5th amendment protections for biometrics. Guest is Kevin O’Brien from GreatHorn on techniques to improve email security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_16.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The SEC and the Department of Justice go after Edgar hackers for securities fraud.
Flashpoint sees the Lazarus Group in an attack on Chile's
Red Bank. Recorded Future shares notes on Iran's Ashiane Forum. CryptoMix ransomware is being
distributed by fraudulent charitable appeals. Organized gangs are using Fortnite in-game
currency for money laundering. And a slickly done bogus edition of the Washington Post was
being handed out in D.C. this morning.
From the Cyber Wire studios at Data Tribe, I'm Dave Bittner with your Cyber Wire summary for
Wednesday, January 16, 2018. The U.S. Securities and Exchange Commission has entered a civil complaint against nine defendants
in connection with the 2016 hack of the SEC's Edgar reporting system.
The alleged hackers are a global lot, hailing from Ukraine, Russia, and California.
The SEC says the defendants made about $4.1 million through illicit trading in non-public information.
That's a lot more than they made with legitimate trading.
The SEC points out that the hackers turned their attention to Edgar
after previously seeking, with some success,
to gain early access to public relations news release outlets,
where companies commonly stage announcements for release.
Even a brief period of unauthorized access can be exploited
to gain a trading advantage. In a parallel action, the U.S. Justice Department indicted
two gentlemen from Kiev, both also named in the SEC's action, on 16 counts of securities fraud
conspiracy, wire fraud conspiracy, computer fraud conspiracy, wire fraud, and computer fraud.
The two conspirators, we note with sadness, are in their mid-20s.
Researchers at security firm Flashpoint have found the Lazarus Group's tracks
in last month's attack in Chile's Red Bank.
It was a social engineering attack with job-offering fish bait.
The Lazarus Group is widely associated with the North Korean
government. There's always the possibility of code-sharing or criminal false flags,
but the operation seems consistent with much of Pyongyang's financially motivated hacking.
Recorded Futures Intelligence Service, the INSICT Group, this morning published a report on the Ashiane Forum,
a large and growing Iranian security forum that's playing an increasingly important role
in Iran's burgeoning cyber-offensive capabilities.
Its influence, recorded Future notes, will be seen not only in operations carried out
at the direction of the Islamic Republic, but in the criminal underground as well.
the Islamic Republic, but in the criminal underground as well.
Security firm Coveware is outlining an unusually cruel and repellent crypto-mix ransomware campaign.
This one spreads by emails representing themselves as coming from a charity devoted to helping
children who suffer from cancer.
The charity is bogus, but the children used as fish bait are all too real.
is bogus, but the children used as fish bait are all too real.
Coveware says,
The ransom notes go so far as to include the names, diagnosis, and even pictures of young children that the ransom payment will support.
The information appears to be lifted from crowdfunding websites and local news stories
that raise genuine awareness and funds for a specific child's treatment.
May the social engineers behind the current crypto-mix infestations
receive their legal comeuppance.
Good hunting to law enforcement agencies.
Email continues to be an attractive target for bad actors,
thanks in part to its ubiquity and antiquity.
Kevin O'Brien is CEO and co-founder of Great Horn,
an email security company, and he thinks it's time to rethink our approach to email protection.
You're dealing with a system that's 47 years old that has been used for pretty much every
business purpose imaginable. And so it is also one of the primary ways in which most cyber attacks begin.
So what do you propose here? Is it a matter of training the users to detect these things or do
we need to stop them from getting to them in the first place? It's a little bit of everything but
training is a compliance move, right? And security is not compliance and vice versa.
It is important that a business invests in security awareness training. But you put your finger on something very interesting and asking the question the way that you did. You said,
do we need to stop them from getting to users in the first place? And the answer is we can.
And that idea that we will establish a perimeter and utilize it to keep bad things out is a notion that, for the most part, the cybersecurity industry has moved past in every other permutation of security technology.
We don't talk about perimeter security when we think about investing in a cloud access security broker technology, a CASB.
in a cloud access security broker technology, a CASB.
We still have this outdated idea that a binary system that says,
that's bad, don't deliver it, let it through, is sufficient.
It isn't.
And that's where the opportunity lies for organizations to take an email security lifecycle philosophical shift approach
and say, we're going to change the paradigm.
We're going to look at email and think about, sure, some pre-delivery stuff where we can block the known bad emails
from reaching users, but we're going to integrate into our security posture, incident response,
rapid remediation, and purpose-built security for email, not try to take network technologies
and gateway approaches to a system that no longer works that way
because we're not running network devices for an email any longer.
So describe to me in this scenario what would happen if a bad email made it into my inbox
and I click the link, what happens next?
The risks are that an attacker says, I'm going to go after the Cyber Wire podcast, and I'm going to listen to their guests and say, oh, they're speaking with this guy named Kevin O'Brien.
So my attack will impersonate Kevin O'Brien and say, oh, we've got this podcast coming up.
I have some notes to share with you before we get into the podcast recording.
They send you a link to a WordPress site that they compromised a week ago, but they haven't
done anything with it yet.
They then deploy a phishing kit to it 15 minutes after you get the message because that link
was safe when it was originally received by you.
It went to, I don't know, somebody's blog.
And that deployed phishing kit isn't made active until after it reaches your inbox.
There is no ability
to say that's a bad email. It wasn't bad until it was weaponized later. The answer here is a
heuristic approach, which says, if we were to categorize all the mail that the Cyber Wire
podcast team receives, how many of those messages from this fictional Kevin O'Brien come from
address A? And now you've gotten a message
from Kevin O'Brien. Is it really from that same sending address? This URL you just received,
is it amazon.com or is it a fairly unusual WordPress site? And if we plot that against
a huge corpus of data of many podcasters in this scenario that we're playing out.
How many of them have gotten a link like this one?
Is this unusual?
And if it's statistically unusual, it's not the case that it's bad.
It's just unusual.
But we can now start to layer in additional security so that when you do click on it,
maybe we run it in a browser isolation mode.
Maybe we don't let you directly interact with it.
If it's asking you for your credentials, maybe we're starting to say, this looks like a credential theft attack.
And we're not going to let you go and put those credentials into that site.
But here's the workflow that you can speak to your team if you think this is legitimate.
We can use those same concepts different in implementation for things like links and emails.
And that's, I think, where the future starts to go.
This is how you start to modernize email security.
That's Kevin O'Brien from Great Horn.
If you really must play Fortnite,
Checkpoint recommends enabling two-factor authentication on your account.
There's account hijacking afoot,
much of it enabled by dodgy sites promising ways of
accumulating V-Bucks, in-game currency, at a discount. The European Union Anti-Corruption
warns that Fortnite, with its V-Bucks, is growing increasingly popular with organized crime as a
money laundering medium. So don't, don't buy in-game currency at a discount. You're helping
criminals.
Consider satisfying your urge to trade for the wherewithal to buy loot boxes by doing the Fortnite dance instead.
It will be better for your health, too.
Put down that controller and dance.
There's been much concern lately about deep fakes
and the threat they could pose to news media, organizations, and really
all kinds of people. There's been a relatively shallow but nonetheless pretty slick fake in
circulation around Washington this morning. The Washington Post warned a little before
8 this morning local time that phony print editions of the paper announcing President
Trump's resignation were being circulated around Washington. The announcement came via Twitter, posted by the Post's PR department.
The screamer headline in the false edition reads simply,
Unprecedented.
The Post also tweeted that they think there may have been imposter websites established.
The comments on the Post's tweet are surprisingly unsympathetic.
A few of them remarked, in effect, that you'll be able to recognize any bogus site by its not being sequestered behind a paywall.
One asked the Twitter account to hold up a copy of Today's Times so that we'll know it's really you.
They didn't say whether it was the Washington, New York, London, or Los Angeles Times.
The Hill says that activists are handing out copies of the bogus paper at numerous locations
around the Capitol. The post itself is pointing to a Facebook video Code Pink posted to its site,
showing the left-oriented group's founder passing out the papers. The progressive advocacy group
MoveOn, according to The Hill, says that it wasn't responsible for the fake, but that it approved.
Those who like the fake, and a quick look at reactions, suggest to us that journalists aren't generally fans, at least
not so far. They point to the edition's date, which is May 1st of this year, as enough to flag
it as satire. So it's not really fake news or propaganda or any of the other forms of information
operations that have been so widely
exoriated in recent months, says them. Just satire, right? Whoever put the issue together
had a pretty good grasp of the Post's visual style and either a respectable staff or a whole
lot of time on their hands, or both. They also had access to a good four-color press,
and those things aren't exactly available
at the checkout line in your local Royal Farms. Sure, they're a more easily obtained piece of
infrastructure than, say, one of the turbines used in electrical power plants, and they're not just
lying around in some untraceable form. We think it's safe to predict this bit of news. Expect there to be litigation. And that's no fake.
Finally, we close with a brief notice of farewell
to one of the last of the Second World War's code talkers.
The Navajo Nation has announced the passing of Alfred K. Newman
in New Mexico over the weekend.
Mr. Newman, who died at the age of 94,
served in the 1st Battalion, 21st Regiment of the 3rd Marine Division between 1943 and 1945.
Our condolences to his family and our thanks for his service.
Semper Fi.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more. for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's
defenses is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover
they've already been breached. Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the university of maryland center for health and homeland security ben it's great to have you back uh
we had an article come by recently this was from forbes written by thomas brewster
and it was titled feds can't force you to unlock your iphone with finger or face a judge rules
what's the latest here?
Yeah, so it's really a fascinating set of legal decisions. This was a ruling from a California
judge. My native California always seems to produce some of the most notable digital privacy
rulings. And here we are again. And that judge ruled that law enforcement cannot force an
individual to unlock their iPhone using facial
recognition, using fingerprints, etc. And the justification was that this is a violation of
the Fifth Amendment right against self-incrimination. Now, where I think this gets
complicated is that the Fifth Amendment traditionally has only applied to testimonial evidence. So, for example, you can't be forced
to testify against yourself at trial. That would be a very clear Fifth Amendment violation.
However, that doesn't apply to other types of evidence, like, for example, presenting yourself
as part of a police lineup. You don't have a Fifth Amendment right against self-incrimination when it comes to that.
So we've had this sort of nebulous, unclear set of judicial decisions. There's been sort of
an argument as to whether facial recognition falls under that testimonial evidence or whether it
falls under more like a police lineup where you're not actually testifying,
you're simply just showing your face and seeing if somebody can recognize it. The reason this is
complicated as it relates to digital devices is previous courts have ruled that entering in your
passcode or using a thumbprint does count as testimonial evidence for the purposes of the
Fifth Amendment. Facial recognition, in terms of its ability to
unlock an iPhone, performs the exact same function as a thumbprint and entering a passcode. So
there's really no practical difference. And I think what this judge was saying is, since there
is no practical difference, why should there be a legal distinction between facial recognition and
one of the other methods used to unlock a device.
And I think that's compelling. I think facial recognition as a means to unlock a phone
more closely used to testimonial evidence because it's, you know, revealing something
personal about oneself, you know, all of the data that is stored on a person's smartphone or device,
rather than a means to just recognize somebody, which is, I think, what the previous cases about
police lineups were about. This court case has gone against some previous rulings. We discussed
an article that came out in September where a judge allowed the federal government to
force somebody to unlock their phone using facial recognition. I think what that indicates is there's
going to be a real circuit split among our judicial circuits. And this is a very unsettled
question because it kind of falls in between two areas of Fifth Amendment jurisprudence.
in between two areas of Fifth Amendment jurisprudence.
So where does it go from here? First of all, how does this affect the entire nation? Does this apply nationwide? And then do you suppose this will make its way to the Supreme Court?
I think it's possible it makes its way to the Supreme Court. There's no nationwide applicability
to this decision. It's not like there was a nationwide injunction. This is not binding precedent on any of the other circuits outside the Ninth Circuit where it was decided in the
Northern District of California. It's certainly persuasive to some other judges that might be
considering these cases. This is something that's going to become more and more ubiquitous. There
are a lot of cases where there's going to be very compelling evidence contained on
personal devices. And that means, you know, especially as the iPhone X becomes one of the
most prominent cell phones on the market and future editions of the iPhone and perhaps other
devices use facial recognition as a tool to unlock the phone, you're going to get a lot of cases
where that's the only
ticket for law enforcement to get access to that data. I think there's indication that this case
is going to get appealed. That would go to the Ninth Circuit Court of Appeals. And I think it's
definitely the type of case that you could see at the Supreme Court just because it's straddling
two different lines of cases dealing with the right against self-incrimination.
It's compelling, to me at least, that since there's no practical distinction between using
a thumbprint or using a passcode to unlock a device between simply showing your face,
that leads me to believe that there should be no legal distinction as well.
And I think that's something we'll have to see the Supreme Court wrestle with.
All right. Well, we will keep an eye on it.
Time will tell, of course.
Ben Yellen, thanks for joining us.
Thank you.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker too. The CyberWire podcast is
proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building
the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is
Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol
Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you.