CyberWire Daily - Spearphishing the UN and NGOs. Clickware kicked out of app stores. ICS security notes. Close-reading the Turla false-flag reports. A good use for the dark web. Senators call for investigations.
Episode Date: October 25, 2019A spearphishing campaign is found targeting humanitarian, aid, and policy organizaitons. Google and Apple remove clickfraud-infested apps from their stores. A last look back at SecurityWeek’s 2019 I...CS Cyber Security Conference, which wrapped up in Atlanta yesterday afternoon. Close- reading GCHQ and NSA advisories. The BBC takes to the dark web, in a good way. And Senators call for investigations of Amazon and TikTok. David Dufour from Webroot with research on phishing. Guest is Jeremy N. Smith, author and host of The Hacker Next Door podcast. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/October/CyberWire_2019_10_25 .html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A spear phishing campaign is found targeting humanitarian aid and policy organizations.
Google and Apple remove click fraud infested apps from their stores.
A last look back at Security Week's 2019 ICS Cybersecurity Conference, which wrapped up in
Atlanta yesterday afternoon. Close reading GCHQ and NSA advisories. The BBC takes to the dark web
in a good way. And senators call for investigations of Amazon and TikTok.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 25th, 2019.
Security firm Lookout has found a large phishing campaign targeting United Nations agencies and a range of aid, humanitarian policy, and academic organizations.
Lookout researchers say the infrastructure used to conduct the spearfishing
has been in place since March.
They emphasize it is targeted to individuals in the affected organizations.
The targets Lookout identified include the Red Cross, UNICEF, and the UN's
World Food and Development Programs. There were also think tanks and advocacy groups on the list,
organizations like the Heritage Foundation, the United States Institute of Peace,
and the University of California, San Diego. Lookout made no attribution and said it had
no basis for speculation, so the threat actor behind the campaign could be anyone from a criminal gang to a nation-state.
Google scrubbed 42 apps from the Play Store that served Ashas adware.
The Bratislava-based security firm ESET discovered Ashas, which has been active for about a year.
which has been active for about a year.
Google was quick to give the bad apps a summery heave-ho out of the Play Store,
but ESET reminds everyone that old apps never die,
they just fade away into dodgy third-party stores.
The researchers trace the developer of Ashas to a university in Vietnam,
where one wishes the students would stick to their books.
Malware development can end badly. Just ask that guy at Rutgers who put together Mirai a couple of years ago.
In another purge, Apple removed 17 trojanized iOS apps
that London-based mobile security shop Wanderer identified and reported.
The apps were infested with clickware,
and according to Indian media site GadgetsNow,
were the work of
app aspect technologies. Wandera explains, clickware is a well-known class of unwanted programs.
A clicker's principal uses include the obvious one of goosing the number of interactions with an ad,
thereby increasing revenue under the common and entirely legitimate pay-per-click advertising
model. A more subtle use, which our crimeware desk is embarrassed to say
hadn't really occurred to them until Wandera pointed it out,
is to hit a competitor by artificially inflating the clicks on a competitor's ad,
which in turn increases the amount of money that competitor will owe the ad network.
Security Week's 2019 ICS Cybersecurity Conference wrapped up yesterday afternoon in
Atlanta. The conference showed, as it has in past years, a more even mix of clients and vendors than
one often sees at such events. The last day's discussions returned to themes that had been
prominent throughout the week, especially the centrality of process integrity and the importance
of attention to sound security fundamentals.
The former point's prominence showed a maturation of the ICS security community's understanding
of the challenges it faces, and also the waning of the familiar complaint that industrial
cybersecurity remains too dominated by those who've come up through the information assurance
ranks. And that second point, while certainly is not a new one, is far from being banal.
CyberX's Phil Nire presented his company's annual risk report,
and those interested in seeing some of the reasons why the basics continue to matter need look no further.
CyberX gives a numerical score with its assessments.
They recommend an 80 as a passing grade, and across the industrial sectors they observed,
the grades aren't encouraging.
Oil and gas comes out the best with 74.
Energy and utilities is second best at 70.
Manufacturing, 63.
Pharmaceuticals and chemicals, 62.
And other, 62, are the laggards.
The median security score CyberX awards across all industrial sectors is a 69.
The Baltimore high school we've got the most recent experience with
would grade that numerical score as an F.
Sure, you'll want to say it's a high F, call it a F+, but still, no good.
The Russian embassy to the UK has told Reuters that reports of Turla piggybacking on Iranian attack methods
are unsavory misreadings of GCHQ and NSA warnings.
So, Turla didn't do nothing, and besides, who's this Turla anywho?
But the denial is better than most.
The embassy diplomatically doesn't slang either GCHQ or NSA,
with both of whom we'd think Moscow has plenty of beefs, but rather recommends close reading what
the two agencies have actually said. So the press has got it wrong, say the diplomats.
We don't know. We read this stuff too, and it seems pretty clear to us the Russian threat
actor Turla, also known as Venomous Bear, was flying an Iranian false flag.
The dark web gets more bad press than good,
but it's worth noting that it has its benign uses,
like the BBC's adoption of Tor to help its users avoid censorship by repressive governments.
The network particularly mentions China, Iran, and Vietnam
as countries who've sought to restrict its content.
The BBC News International site will be available in the Mirror,
as will the BBC's Arabic, Persian, and Russian services.
U.S. Senators Wyden, Democrat of Oregon,
and Warren, Democrat of Massachusetts,
have asked the Federal Trade Commission
to investigate any role Amazon may have had in the Capital One breach. of Oregon and Warren, Democrat of Massachusetts, have asked the Federal Trade Commission to
investigate any role Amazon may have had in the Capital One breach. The Washington Post reports
that Senators Cotton, Republican of Arkansas, and Schumer, Democrat of New York, have asked
the intelligence community to determine whether the Chinese-owned social network TikTok represented
a security threat. With respect to content moderation, TikTok told BuzzFeed its moderators are in the U.S., not China.
BuzzFeed goes on to point out that in fact there have been some pro-Hong Kong protester posts on TikTok.
The story says they appear to have been put there more to just see if they'd go through,
so the effort hardly seems to rise even to the low level of slacktivism.
so the effort hardly seems to rise even to the low level of slacktivism.
Anyway, TikTok says its content moderation standards are being upheld by an American unit, not a Chinese one.
How relevant that may be is unclear.
After all, the NBA is pretty much American,
and they've been playing the Washington Generals
to Beijing's Harlem Globetrotters for some time.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what
AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
BlackCloak. Learn more at BlackCloak.io.
And joining me once again is David DeFore. He's the Vice President of Engineering and Cybersecurity at Webroot. David, it's always great to have you back. I wanted to talk today
about phishing attacks. I know you all at Webroot have been doing some research on this,
and you've got some statistics to share with us.
That's exactly right, David.
As always, great to be back.
And phishing, you know, people, it seems like we always talk about phishing, but it remains the number one way that people are attacked or exposed online through cyber attacks.
So it's always something important that we should talk about.
Well, let's go through your research together.
You've got some interesting findings here. Yeah. So we did a survey, a pretty extensive
survey. One of the biggest things is people really feel like they can identify a phishing email.
And believe it or not, they're struggling. And a lot of this, you know, you and I both can identify
the email from the Nigerian prince who's going to send us $50 million, right?
But that's not what phishing emails are anymore, David. They're hyper-focused on improved spelling,
improved grammar, and they are becoming more psychologically focused where they're trying to
get you to react rather than just saying, hey, maybe you can get a million dollars or, hey,
it's your bank. Maybe you should call us.
They're really trying to play on things like it's, hey, this is your boss. I need something
urgently. Or this is your financial institution. Your account's been hacked. We need you to click
here right now and update your account information. They're really getting good at that psychological
component. So is there a little bit of a disconnect there where maybe people feel as though they're better at distinguishing them than they actually are?
There's not only a little bit of a disconnect.
It's huge.
Around 80% of folks really genuinely feel like that they can identify it.
But then once we start drilling into interviewing, they're struggling with finding phishing emails because they still hearken back to the days of the poor grammar and
things like that. But in addition to that, most people think phishing attacks only come through
email. And that is the primary vehicle. But we're seeing large attacks. We're seeing a 6% increase
in attempts through social media. We're seeing increases through SMS attacks and phone calls.
People forget about phone calls as well. So it's absolutely
growing. And what's the answer here? How do we protect people against this?
Well, one of the number one things, David, and you're going to roll your eyes because I was
shocked at this and would not have believed it. 35% of people who've been phished did not change their password on the account that was phished.
So they knew they'd been phished.
They knew they clicked the link.
They knew they entered their credentials.
They did not go back and change their password.
So if you do nothing at all, nothing, change your password if you've been phished.
Now, what about from the employer's point of view? Is this something where I'm going to get my money's worth on my investment, on training for my employees,
maybe sending them test messages, test phishing messages, that sort of thing?
Yeah. So we're a huge proponent of that because the number one thing you can do in terms of if
you're an employer is to train your employees to identify phishing emails and what to do with it.
is to train your employees to identify phishing emails and what to do with it. Obviously,
if people don't know what a phishing email looks like, they don't know how to respond to it.
So training is always imperative because they're playing psychologically on folks. And the second part of that is what do they do if they suspect a phishing email or if they've been
phished? People can be embarrassed. They can be a little bit like, oh my gosh, I'm going to get in trouble. You have to spell it out that you're not going to get in
trouble. And in fact, if you have been phished, it's imperative that you tell your organization
because then they have tools they can put in place to monitor for activity around that phish.
So it's really important that you let people know all of us get fish, David. It's not a
question of if, it's more of a question of when. Yeah. So there's no shame in admitting it.
That's exactly right. Doing so really will help your organization. But again, back to what your
organization can do, continuous training, always making sure people are aware of what to do. That's
the number one thing. All right. Well, the blog post is Hook, Line, and Sinker, Why Phishing Attacks Work. It's over on the WebRoot website.
David DeFore, thanks for joining us. Great being here, David.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
By working as I do in this industry, you start to see the world as not a series of constrained conditions that you must acclimate yourself to and submit yourself to. But you see the world as
an environment that is under your control. And you say, well, if I don't like what I'm
encountering here, if something's not working for me, I will just immediately use whatever I can on
hand to change my environment. I will remake the situation to be better for me and I will just immediately use whatever I can on hand to change my environment.
I will remake the situation to be better for me and those around me.
That's the hacker who goes by the name of Deviant Olam, being interviewed by my guest
today, author Jeremy N. Smith, for his new podcast series, The Hacker Next Door.
I've spoken with Jeremy before about his book Breaking and Entering, the extraordinary
story of a hacker called Alien.
In our most recent conversation, I asked him how writing that book led him to producing the Hacker Next Door podcast series.
Writing Breaking and Entering was really exciting to me because I had this main character who was a female hacker who'd grown up with the information insecurity industry with hacking,
female hacker who'd grown up with the information insecurity industry with hacking as it went from a sort of skateboarding-like subculture to this 100 billion plus industry. But I was not able to
follow all the juicy side stories or dig into all the other kind of characters I met along the course
of my research and reporting. So I really wanted to be able to
follow their stories and just give their voices a chance to be heard too. And also represent the
huge range of kinds of hackers and kinds of hacking that are out there and do that with 10 different
people, 10 different kinds of hackers, 10 different kinds of hacking in this sort of spinoff series.
So take us through some of the stories that you've gathered here on this podcast you've launched. breaking and entering and his sort of mindset when he's sussing out a new scenario to break in,
as well as the sort of hacker social scene and the convention scene and how that's grown up.
I talked to Karen Spranger, who is a COO about managing and hiring a group of hackers. How do
you hire people whose job is to be devious? How do you manage them? And she's also a ransomware negotiator. So what that looks like, what's it like talking to the black hat hackers on a daily basis? I talked to an African American woman, Skylar Rampersad, who's at Immunity Inc. But when she was 15 years old, she was recruited by the NSA when she was a sophomore in high school, and she ended up working with them for 12 years. So what's that like? I talked to Johnny Long, the founder of Hackers for Charity, about rising in the hacker ranks, becoming really famous, prominent, popular, and successful.
And that not satisfying him and feeling really empty inside and finding God and moving with himself and his entire family, including, I think, two, three kids to Uganda for more than five years and setting up a philanthropy entirely funded by the hacker community.
I've got hacker parents on raising hacker kids. I've got Loft member Joe Grand on hardware hacking and
his first public speaking experience, which was testifying before Congress when he was like 22,
and hosting the show Prototype This, which helped launch the autonomous vehicle industry,
among other things. I've got Bug Crowd CEO, Casey Ellis,
on what it's like to employ hundreds of thousands of hackers and the insight that gives him
into the hacker economy and its ins and outs. I've got anthropologist, Gabriela Coleman,
who embedded with Anonymous for six years about what seeing Anonymous blow up and then kind of get blown up was like from the inside
and the virtues of online anonymity. I've got a hacktivist Caitlin Bowden with the badass army
about fighting revenge porn and organizing a hacktivist army and sort of going back to
aliens roots and the MIT, the original building exploration
hacker scene where you're going onto rooftops, you're going up steam tunnels, you're going
through elevator shafts, and you're doing these elaborate ingenious pranks.
I talked to Liana Leroux, and her day job is sort of hacking the human genome, but her
background is in that kind of physical building access hacking at MIT about the prank she pulled as an undergraduate.
And the sort of transition between those worlds doing elaborate, amazing hacker-like art at Burning Man.
Was there anything that struck you going through this process?
through this process, I'm thinking of new things that you learned, new insights you gained beyond what you had learned when you were writing the Alien book.
Yeah, absolutely. So writing Breaking and Entering, there were so many things I learned
just about the history of hacking and its origins in physical exploration before computers, but then
also what it looks like day in, day out to be breaking and entering the business. But writing this, I got a much better sense.
I think of hacker, I want to say, culture, but ethics and also aesthetics.
So I remember the hacker parents were Caroline Harden and Grant Die, who do a huge variety of stuff from hackathons,
makerspaces, the kids area, Roots Asylum at DEF CON, and talking about, what do I tell people
who want to get their kids into hacking, but are afraid that it will turn them into criminals?
And I remember Grant just saying, well, anyone who has ever used duct tape for any purpose other than repairing duct work is a hacker.
And just sort of those sort of simple definitions of twisting something for a different purpose
or kind of being smarter than the designer or the typical user or making your life and
hopefully other people's lives easier.
And Deviant, the lockpicker, talked to that too.
Trying to improve the world through hacking.
And just those examples and those really grounded life stories,
just getting to hear it in their own voices,
just really helps me kind of convey that to other people.
Because I started the podcast because I was still,
even in giving talks about the book, people don't have an image
of hackers. This is still a community and culture that does not have a public face.
Even if you do a image search, you see literally no faces. It's all shadowed figures in hoodies
or Guy Fawkes masks. And I'd met, meanwhile, all these people, diverse people. And the idea that a hacker could be a grown-up, a hacker could be a professional, a hacker
could be a woman, a hacker could be a mother.
Those just super basic things were still mind-blowing to so many people.
So to just have enough time and space to let the hackers speak for themselves, to show
their positive side and how they got into it and
what the world looks like from their perspective. That was too tempting to let pass.
Is there any particular through line that you sensed as you went your way through these
interviews? Is there a common thread here? Yeah, I think nobody had their career on purpose. All these people got into this
world when this world was so new that they didn't know what they were getting into. They all kind
of came in sideways or by accident. And they learned by doing. It wasn't having a big plan
and doing it step by step. It was saying, oh, this is interesting. This is fun. I'm going to
take this step, then that step and do this project. And that growing over time to a reputation and
eventually a community and kind of looking back as adults and saying, wow. I think the other thing
is that so many of them see that community as threatened one way or another, or those ideals and ethics as threatened,
because it's so professional that the sort of private spaces hackers have made for themselves
outside of government, outside of corporate control are at risk. And the internet itself
has become so commercialized and so monocultured in some of the major platforms that control so much of the
traffic that the idea of taking things apart, tinkering them, making them better, sharing that
with friends, they see that as threatened too. What do you hope people take away from this?
Someone who listens to the 10 episode series, what are you hoping that they learn?
from this? Someone who listens to the 10-episode series, what are you hoping that they learn?
I want them to have a human face or human voice, in this case, to hackers and to realize how diverse hacking can be and how positive many of the outlets are. In my talks, I often make the
analogy to being a surgeon. 200 years ago, if you did a Google image search, if Google
image had existed for surgeon, you would have found grave digger, body snatcher, murderer.
And as that profession has come out of the shadows, obviously it's white lab coat,
it's saving lives, it's opening bodies to save lives. And I think we need to make that transition with hackers themselves. And I think hackers need to have a positive public image for themselves to refer to. I think it hurts the community itself to not have these virtuous examples represented because we don't know how the insides of the systems we all rely on work unless we're hearing from hackers.
And if we're afraid of them, we can't hear what they're saying.
That's Jeremy N. Smith.
His new 10-part podcast series is titled The Hacker Next Door.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Thanks for listening.
We'll see you back here tomorrow.
Thank you. innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.