CyberWire Daily - Someone takes an unhealthy interest in Citizen Lab. Ukraines accuses Russia of election phishing. Russian bigshots doxed. Tension over Venezuela. Swatting indictments. National Privacy Day.
Episode Date: January 28, 2019In today’s podcast, we hear about some Spy vs. Spy at Citizen Lab, but who the spies were working for isn’t clear. Ukraine’s cyber police accuse Russia of phishing for election influence. As For...tuna’s wheel turns, Russian bigwigs get doxed by transparency hacktivists. Great power tension over Venezuela bears watching in cyberspace. Alleged swatters indicted and arrested. Happy National Privacy Day. Emily Wilson from Terbium Labs on “fullz” records of children being sold on the dark web. Guest is Sean Lyngaas from CyberScoop with his insights on the DNS hijacking threat. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_28.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
It's spy versus spy at Citizen Lab, but who the spies were working for isn't clear.
Ukraine's cyber police accused Russia of fishing for election influence.
As Fortuna's wheel turns, Russian bigwigs get doxxed by transparency hacktivists.
Great power tension over Venezuela bears watching in cyberspace.
Alleged swatters have been indicted and arrested.
And happy National Privacy Day.
Privacy Day.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 28, 2019.
Citizen Lab reports that two of its researchers have been approached by people expressing
an interest in them as individuals, and then in their work on
commercial intercept tools, specifically those produced by the NSO Group. The lab, based at the
University of Toronto, had been investigating the possible use, presumably by the Saudi government,
of NSO Group tools against the subsequently murdered opposition figure and columnist
Jamal Khashoggi. Citizen Lab stresses they have no evidence the NSO group was involved in approaching its researchers,
and NSO group says it had nothing to do with it.
The people who made the approach represented themselves as socially conscious investors
associated with Flame Tech and CPW Consulting,
both of which the AP concluded after investigation, appear to be bogus.
Their fraudulence extended to such familiar social engineering techniques
as using stock images of people to serve as pictures of the purported company's executives.
Note that Flametec is all one word, and not to be confused with, for example,
the similarly named legitimate welding equipment vendor.
That company uses two words.
There are also legitimate and innocent outfits
with names like CPW Consulting.
The bogus front operation uses a hyphen in its name.
The lab worked with the AP to let a face-to-face meeting
between one staff member and the individual who contacted him play out.
Citizen Lab says the approach was similar to one that private security firms use,
and the AP has put in mind of the kind of private eyes they say Harvey Weinstein favored
in his alleged attempts to silence the women he importuned.
There may well be similarities to private security techniques,
but we should also note a similarity to the way an espionage service
might seek to compromise and recruit an agent.
Ars Technica calls the techniques the people from Flame Tech and CPW Consulting used
comically inept, and there is indeed a touch of the comic book, the movie, the TV show about them,
especially if one thinks back to the early vogue for spy thrillers that James Bond flicks prompted back in the day.
But don't get cocky, kids.
This may have been man-from-uncle stuff, but it didn't sink to get-smart levels of hilarious implausibility.
People, and not even unusually incautious or dopey people, have fallen for less sophisticated scams in the past.
or dopey people have fallen for less sophisticated scams in the past.
Recall that a lot of people who should have known better, did know better,
swallowed the Robin Sage catfish demonstration hook, line, and sinker.
Do note that the approach involved attempts to cultivate personal connections,
find apparent common interests, and so on.
The hoods do seem to have rushed their game a bit, but sometimes a rushed approach works. At any rate, it's sad to say, but true, if a stranger pops up with whom you seem to
have a lot in common, and who seems to have taken an interest in you, be on your guard. Sure, it
could be a headhunter or a potential investor, but it could be someone else too. And if they begin to
ask you to perform small, innocent good deeds for them,
a copy of a phone directory perhaps,
or an agreement to email a friend of theirs with some advice on study abroad programs,
well, run for the exit and tell your security officer.
The U.S. Department of Homeland Security recently put out an emergency directive
concerning the secure management of DNS records
across the federal government. Sean Lingus is a senior reporter for CyberScoop, and he's been
following the story. This story began because private researchers released warnings in recent
weeks and months that there was a broad set of malicious activity related to domain name systems
occurring in different parts of the world.
Researchers from Cisco Talos, which is the threat intelligence unit of Cisco,
released research in November warning about such a campaign that targeted,
in this case, Lebanese and United Arab Emirates government websites.
And then in January, researchers from cybersecurity company FireEye also put out research outlining how this type of attack was unfolding
against a broader set of targets also. With that body of research, the Department of Homeland
Security grew concerned that U.S. federal civilian agencies were vulnerable to this type of attack.
And indeed, according to our reporting, at least six agencies have been affected by so-called
malicious domain name system tampering. And that's why the department decided to issue
its first ever emergency order to agencies to fix this problem, and that was under authority granted to the
department in 2015 by Congress. And so what is the threat here,
the manipulation of the DNS records? What could that result in?
It could result in malicious traffic, in the most basic case, malicious traffic
being directed at users. So tricking a computer user in the government when they're trying to visit a website that they trust,
redirecting them to somewhere else where their computer could be infected.
And my understanding is it also could be a conduit for other more sophisticated attacks.
Hence the concern of this kind of malicious activity gets to the root
of how records are kept on the internet and websites are verified. So in that sense,
it's kind of a core level issue that has to be dealt with.
And what is in the emergency directive? What are they requiring the agencies do?
It's a series of steps, including doing something that a lot of cybersecurity experts are always telling users to do, which is to use multi-factor authentication when managing DNS-related accounts, domain name system accounts.
So requiring a backup login method in order to access those accounts.
It's unclear how many agencies are not doing that now, but again,
that's one of the requirements. And then another requirement is to compare certificate logs. So
going in, making sure that all that matches up the way it should be, because according to some
of the research, the private sector research that I mentioned, the attackers have been going after those certificates as a means of compromising systems. So those are two things. And other
measures include auditing DNS records. It's all being asked to be carried out within 10 business
days. And that's the clock has already taken. You know, DHS, I've seen some praise from private sector cybersecurity executives saying way to be clear in outlining the challenge and the coordination.
I think they want to. This is being seen as an example of good coordination between top level researchers and the department, which has invested a lot in bringing in cybersecurity talent in the last couple of years.
That's Sean Lingus from CyberScoop.
You can follow his ongoing reporting on the DHS emergency directive on the CyberScoop website.
Ukraine's cyber police say they're seeing an upsurge in Russian phishing aimed at disrupting upcoming elections.
Russia says it's never done anything of the kind anywhere to anyone.
Transparency activists at the organization calling themselves Distributed Denial of Secrets
have released a very large set of documents produced by prominent Russians, politicians,
oligarchs, journalists, and religious leaders, the New York Times and others report. The size of the dump is said to be 175 gigabytes.
Called the dark side of the Kremlin, the content the group posted is intended to be seen as
discreditable, as no doubt much of it is. Distributed denial of secrets is described
by the Rappler as a kind of WikiLeaks rival, but their selectivity with
respect to what they release is thought to be less finicky than that shown by the House of Assange.
The New York Times, for example, reports that WikiLeaks had declined to publish the documents
on the grounds that it, quote, rejects all submissions that it cannot verify, end quote.
It also rejects material it finds insignificant,
but WikiLeaks didn't say which category included the Russian documents.
The Daily Beast quotes Nicholas Weaver,
a researcher at the University of California
at Berkeley's International Computer Science Institute,
on WikiLeaks' practices.
Weaver said, quote,
A lot of what WikiLeaks will do is organize and republish information
that's appeared elsewhere.
They've never done that with anything out of Russia.
Much of what distributed denial of secrets has released with the dark side of the Kremlin
appears to originate with hacktivist groups like Shaltai Baltai, the Ukrainian Cyber Alliance, and Cyber Hunter.
Russia and China have joined to block a U.S.-sponsored attempt
to gain U.N. recognition of Juan Guaido as Venezuela's acting president.
Reuters also reports the presence of deniable Russian military contractors in Venezuela
guarding Chavista incumbent Nicolas Maduro,
declared illegitimate by the National Assembly.
Expect hybrid operations to accompany the tension.
And finally, today is National Privacy Day.
Unisys shared a snapshot of American attitudes toward online privacy with us.
Their results suggest the circumstances in which American adults would prefer to keep things to themselves.
Among the top concerns are apps and devices that share behavioral,
geolocation, or health data. Here's a quick summary of Unisys' conclusions.
42% don't want their health insurance providers to track their fitness activity via wearable
monitors to determine premiums or reward behavior. 38% don't want police accessing data from their
wearable fitness monitor at their discretion to determine if they were at a given location at a certain time. 34% don't want medical devices
such as pacemakers or blood sugar sensors to immediately transmit any significant changes
to their doctor. 24% don't want an emergency button on their smartphone or smartwatch to
send their location to police if they need help. And 21% don't want an
app on their smart watch from their bank or credit card company to make payments from their watch.
So on National Privacy Day, keep it to yourself. All right?
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals
to bypass your company's defenses
is by targeting your executives and their families at home? Black Cloak's award-winning
digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. And joining me once again is Emily Wilson wilson she's the vp of research at terbium labs emily great
to have you back um you and i have talked about this notion of fulls with a z these records online
and uh there's some fulls having to do with kids that have come to your attention recently
what are we talking about here today as you you mentioned, we've talked about FULs before, and your listeners might recall that these FULs stand for full ID packs,
basically full personal information kits.
And for an adult, that would be something like payment card, name, address,
maybe username and password for an account, mother's maiden name,
answers to security questions, the digital equivalent of someone stealing your wallet
with all of your information inside. In this case, though, we're talking about kid fools.
So this is child data. A few weeks ago now in late December, we discovered a series of listings
across some of the major dark web markets where one vendor was selling kid fools. These are
children, so they have less information in the system, but name,
address, phone number, and social security number for kids. And what's the appeal of this?
There are a few different ways people can use this. One of the most common ways we're hearing
now, of course, is synthetic IDs, where you're creating a synthetic identity using information
for children, people who aren't in the credit
system yet, people who aren't going to notice something on their credit report, at least not
for another 10 or 15 years. You might use it for a child tax credit. Child information has a couple
of unique benefits. One, it's truly fresh data, which is hard to come by in a system where
information is being compromised all the time. This is information that is fresh because it didn't exist two months ago, right? When you're
using infant data or baby's data, they weren't alive a few months ago in most cases. So it's
brand new to the system. And two, as I mentioned with the credit report, no one's checking on this.
No one is monitoring their kid's credit. No one's freezing their kid's credit.
If you're listening to this, stop what you're doing right now and freeze your kid's credit.
Is there any notion for how the folks are vacuuming these up?
How do they get them en masse?
So it's an interesting question because when we think about child data,
particularly for young children or babies, the number of possible sources is
relatively small. If you're an adult, you can be breached from one of hundreds of different points.
But for babies, really, we're talking about hospitals and government records and maybe
when they get a little bit older, child care or educational system. In this case,
the vendor says explicitly that these are from pediatricians offices or health care networks. And they have other data up for sale that says that they recently breached a major hospital.
And so if you're a parent, how do you protect your kids against this sort of thing?
Well, first recognize that your children are open to data compromise just as much as adults are. You know, these records are specifically listed as belonging to children, but any other hospital records that may have been breached or educational records that might
have been breached, child information is getting caught up there. So recognize that they are also
at risk, that we're not just talking about adults. And then the other thing you can do,
which really is the only other thing you can do as an adult as well, is to freeze your credit,
monitor your credit. People are using this
information because they want to monetize it. So nip that in the bud the only way you can.
To add insult to injury, a few years ago now, the Social Security Administration changed the way
they were issuing social security numbers, which means that instead of following that
familiar pattern that we all know, where you have sort of the group code and the area code, and this
followed a predictable set. Now these numbers are randomized, which means that it's harder to tell
if a number is belonging to someone who's two weeks old, if a number belongs to someone who's
22 years old, or if the number hasn't been issued yet, because it checks out.
All right. Well, it's interesting information,
something certainly as a parent to keep an eye on. Emily Wilson, thanks for joining us.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're
thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.