CyberWire Daily - TA505’s new tools. ISIS turns to emerging chat apps. Reddit asks for password resets. The EU’s right to be forgotten gets some court-imposed limits. The tweets Kaspersky flagged to NSA.
Episode Date: January 10, 2019In today’s podcast, we hear that Proofpoint researchers are tracking the latest developments from the unusually diligent cyber criminals fo TA505. ISIS turns to newer, less closely monitored and m...oderated apps as it’s pushed out of larger social networks. Reddit asks users to reset their passwords, and to make them good ones. Google seems to have made strides against expansive interpretation of the EU’s right to be forgotten. And the curious tweets of @HAL999999999. Jonathan Katz from UMD on updated WiFi security. Guest is Ameesh Divatia from Baffle on the growing frustration with how companies handle our private information. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/January/CyberWire_2019_01_10.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Proofpoint researchers track the latest developments from the unusually diligent cybercriminals TA-505.
ISIS turns to newer, less closely monitored and moderated apps
as it's pushed out of larger social networks.
Reddit asks users to reset their passwords and to make them good ones.
Google seems to have made strides against expansive interpretation
of the EU's right to be forgotten. And the curious tweets of at how 99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 10, 2019. Researchers at security firm Proofpoint have described two hitherto undocumented strains
of malware, ServHelper, a backdoor, and FlawedGrace, a remote-access Trojan, now being used in the
wild by threat actor TA-505. Proofpoint's been tracking TA-505 since 2017. It's a criminal gang
connected with banking Trojans, ransomware, and other forms
of cybercrime. The targets against which these malware tools are being used are banks, retail
establishments, and restaurants. Serve Helper is being distributed in phishing campaigns,
typically carried by a malicious word file or PDF attached to phishing emails. Serve Helper is then used to install the flawed Grace rat,
and from there the theft proceeds.
The one-two punch of Serve Helper and Flawed Grace
is likely to be with us for some time, unfortunately.
Proofpoint thinks they represent a long-term investment on the part of TA-505
and that the group has shown patience, focus,
and persistence in the past. ISIS has for some time received attention from content moderators
on Facebook, Twitter, Telegram, and YouTube, all of which have been interested in pushing the
terrorist group off their platforms. Those efforts have certainly been halting and incomplete,
and frequently criticized
by observers who found the moderation insufficient, inconsistent, or even insupportable, but they have
had a cumulative effect on ISIS. The group has depended on the internet for inspiration,
much as the Ayatollah Khomeini depended on distribution of cassette tapes of his sermons
to influence opinion in the Shah's Iran before the Islamic Revolution.
Wired has an account of how ISIS is turning from large social networks
to more accessible, less easily moderated chat apps.
The group's Amak News Agency has recently found
that some newer messenger applications are proving more suitable for their purposes.
Chat groups, channels, and media sharing apps, some open source,
many designed for business gaming purposes.
Some of these include Rocket Chat, Viber, and Yahoo Together.
As they've noticed ISIS promoting their use,
several of the applications are seeking to block the group's adherents and followers
from establishing a presence there, but with mixed
results. Among the more interesting developments has been ISIS's use of gaming channels for
inspiration. Discord in particular is said to be drawing a fair amount of ISIS activity.
Wired calls for all of these channels to take quick action against the burgeoning jihadist
presence, but it's not clear how such action could be taken in an unproblematic
way. Consider gaming channels. How clearly would ISIS content stand out from the ordinary,
disinhibited chatter of online gaming? The seemingly endless string of data breaches
and privacy violations by service providers large and small has led to a growing call for meaningful privacy
and data protection legislation here in the U.S. Amish Devaitia is CEO and co-founder of Baffle,
a company focused on data encryption and key management, and he offers his views on the
growing frustration with how companies handle our private information. Data collection is a given
these days. No matter what
we do, data will be collected. Obviously, a lot of the tech companies base their entire business
models on the fact that they collect data and they have to profit from it. Otherwise, they would have
to charge for their services. But just because they have data does not mean that they can
misappropriate it. And I think that's where regulation really comes in, that we have to make sure that the regulation will make sure that these companies
and any entity, it doesn't even have to be a company,
even the government is responsible for losing data.
So any entity that collects data has to process it responsibly.
And so how do you propose that that can be done?
I think it is a dialogue.
I think regulations like GDPR force the creation
of what is known as a DPO, a data protection officer. So data protection officer has to be a
key voice in that dialogue. And again, it is a good mix. It is a balance that they have to
strive between business needs and the fact that it is somebody else's data that they are processing.
So we come up with ways of actually protecting data.
One of the important things that the industry is gravitating towards is that the data has to be protected as soon as it's collected.
But then the difficult part comes in, which is how do you figure out a way where you process that data without actually revealing the underlying records themselves?
GDPR certainly has set the stage, but then over the course of last year, we've had many
other regulations that have come in and followed through with that.
The California Consumer Privacy Act, even overseas, countries like Singapore have the
Personal Data Protection Act, and all of them
are starting to focus on the fact that you have to make sure that the records themselves are
protected. They don't necessarily get into the technology and say, this is how you shall protect
it. They just say you have to protect the data, because if you lose it, then you'll be fined.
And do you suppose that those fines are going to have the intended effect or might we be in for some unintended consequences?
Well, we'll see how it works out.
I think decisions are eventually going to be decided by the courts because we already have started seeing some of these lawsuits being filed in connection with GDPR or now actually thanks to regulation in this country by U.S. entities as
well. The Marriott breach, which is monumental, 500 million records, is a great case in point of
how breaches continue to happen. Breaches continue to happen in spite of all the money that's being
spent on cybersecurity. So clearly, we are not anticipating these threats well. One of the running jokes we
have is one of the reasons why these breaches are not being detected is because we have this
mission impossible threat model that we are working with, where we are assuming that the way
threats happen and attacks happen is when Tom Cruise drops from the ceiling of the data center and steals disks.
Well, it doesn't happen like that. There's much, much easier ways to steal data. And that's exactly
what happened in the case of Marriott, where they stole the data while being privileged users or
database administrators, if you will. They were pretending to be administrators, stole the data,
and encrypted the data on their way out so it couldn't be detected. Many, many details will still emerge,
but the early indications seem to be that they did do what was required by compliance,
which is protecting data at rest, but it wasn't adequate. So clearly, encryption and protection
mechanisms need to continue to evolve to make sure that the threats are mitigated.
And protection mechanisms need to continue to walk to make sure that the threats are mitigated.
Yeah, it's interesting to me.
I mean, it strikes me that every company says your privacy is important to us. But I think we've reached the point where when you hear a company say that, there's a tendency to kind of roll your eyes and say, yeah, but in the meantime, here's everything you're doing with my data.
Do you think there's a competitive advantage to be had here
from companies who actually walk the walk, talk the talk?
Absolutely, there is.
So security has traditionally always been an afterthought.
It's always been something that's a necessary evil
in order to get through compliance or get through audit.
I think this year, 2018, has really been the year
at which it starts to become
more of a competitive advantage.
If you, as the data collector,
is able to store the data responsibly
and then be actually able to process the data
so that you're never actually exposing the data in the clear,
that is the winning formula.
And that's what will set these companies apart.
Notification requirements, like we were talking about in our last podcast, are absolutely
all over the place now.
Every state has one, which means that if you lose data in the clear, you have to disclose
it.
And that is a huge damage to reputation of these companies because they're all consumer
facing and they have to make sure that customers feel good about doing business with them. So it
is going to become a competitive advantage. And I think that's where the companies will take it
seriously because their investment now is really about enhancing their business more than just an
unnecessary evil to avoid hackers getting in.
That's Amish Devaitia from Baffle.
If you're a Reddit user and have recently found your account inaccessible,
the service is in the process of restoring access user by user.
Reddit has locked down a large number of accounts over security suspicions,
aroused by unusual activity in those accounts, consistent with the presence of unauthorized users.
As users reset their credentials, Reddit is advising them to choose complicated, non-obvious passwords, and above all not to recycle passwords used in other accounts.
passwords used in other accounts. GDPR has had a worldwide impact, but a recent advisory opinion rendered to the European Court of Justice, the EU's high court based in Luxembourg,
may have imposed some limits on the application of the right to be forgotten in particular.
The opinion is non-binding but significant and is being regarded as a win for Google,
which has been fighting an attempt by French authorities
to get the search engine provider to apply the right to be forgotten everywhere.
The basis for the Advocate General's opinion
is concern about reciprocal efforts such enforcement might have.
The Advocate General warned that ordering removal of content
from sites accessed outside the European Union
would in all likelihood provoke retaliation by other jurisdictions And finally, reflections on how NSA came to learn about the possibility that it had a pack rat at Fort Meade
continues to take an interesting turn
Redacted court documents released in the Hal Martin case
suggested to many that Mr. Martin had been in touch with the shadow brokers
and perhaps had been the source of the tools the brokers leaked
One of the tweets mentioned material that had a shelf life
of three weeks. But the shelf life three weeks tweets said to have aroused such suspicion at NSA
in 2016 were apparently turned over to NSA by Kaspersky, according to anonymous sources not
authorized to discuss what they know who spoke to Politico this week. The tweet was addressed to Yevgeny, presumably
Eugene Kaspersky himself, by at Hal 99999999, as Ars Technica reports. Thus, it was Kaspersky,
the Washington Post notes, and not U.S. counterintelligence officers who first twigged
to the possibility that someone may have been getting ready to leak classified information
and that warning is being connected to Hal Martin's arrest.
Two points are worth making.
First, Mr. Martin, who's entitled to the presumption of innocence,
is charged with mishandling and unlawful retention of classified material,
not with passing it to anyone.
So the shadow broker's leaks that soon followed the tweets may be coincidental,
if one believes in such things.
Second, as interesting as we find reading and writing about this developing story,
the fact that anonymous sources not authorized to speak are speaking as much as they are
suggests that U.S. federal insider threat programs remain more loosey-goosey
than the intelligence community would probably hope.
Sure, it's interesting, but if the feds are this leaky,
what hope is there for the average small business contractor
trying to control its insider threat exposure?
By the way, how do we know that at Hal999999 is in fact even a person?
Couldn't it be some malign AI?
999999 is in fact even a person.
Couldn't it be some malign AI?
It's not exactly the HAL 9000 that Mr. Kubrick and Clark tried to warn us against in 2001 A Space Odyssey.
Too many nines, for one thing.
But maybe an offspring? Or a cousin?
We've heard about this AI stuff.
Think 2001 was just fiction?
Head in the sand, sheeple, head in the sand.
We're just kidding, of course.
I'm sorry, Dave. I'm afraid I can't do that.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives. Because when executives are compromised at home,
your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Jonathan Katz.
He's a professor of computer science at the University of Maryland
and also director of the Maryland Cybersecurity Center.
Jonathan, good to have you back.
We had a story come by from Wired,
and this was about the next generation of Wi-Fi security
upping their game and increasing security there with better encryption and so on.
Can you give us an overview of what's going on here?
Yeah, this is a new standard, the WPA3 standard that's been coming out to protect, as you said,
wireless communication. And it has a number of interesting features, actually, and upgrades to
the previous security that was being offered by WPA2. And in particular, one of the things it
addresses is the fact that many people might be using a very weak password to protect their wireless
communications. And they built in protection here to kind of mitigate against that sort of thing.
And how can they do something like that? What's going on under the hood?
Well, right now in the WPA2 standard, the password is sent in such a way or used in such a way that
an attacker can record the conversation between a user and the
base station, record all the messages that were sent back and forth, and then go offline and try
to apply what's known as an offline dictionary attack, basically trying thousands of different
potential common passwords until it finds the right one. And the point is that those kind of
offline dictionary attacks are much more easy for an attacker to carry out than an online attack where they have to sit there and actively interact with your network.
So the new WPA3 standard actually prevents this offline dictionary attack, which means that even if you're using a weak password, the attacker won't be able to go offline and figure it out.
And so by default, WPA3 is going to have encryption active from the get-go. Yeah, so I
mean, WPA2 also offers encryption, but I guess the point is here that it's an extra layer of
protection for users that don't choose strong passwords. Now, by the way, that's not to say
that you shouldn't choose a strong password. Obviously, a strong password is going to be
better than a weak one. But here, they're offering some additional layer of protection, even for people who choose weak
passwords. Yeah, kind of protecting people from themselves. Yeah, that's exactly right. That's
exactly how they're selling it. Yeah. All right. It's interesting. Well, I have to see how it
spreads and how quickly this actually makes it out into devices. Yeah, we'll have to see actually
how quickly manufacturers are going to install this new standard in their devices to allow users to go ahead and upgrade.
Yeah. Jonathan Katz, thanks for joining us.
Thank you.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses
worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization
runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
us on your Alexa smart speaker too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios
of DataTribe, where they're co-building
the next generation of cybersecurity
teams and technologies. Our amazing
Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri,
Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben
Yellen, Nick Vilecki, Gina Johnson,
Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you.