CyberWire Daily - Taking down coordinated inauthenticity. Contact tracing and other COVID-19 notes. BlackInfinity taken down.
Episode Date: May 6, 2020Facebook reports on the coordinated inauthenticity it took down in April. Investigations into COVID-19’s origins continue, as does medical espionage. Contact tracing’s challenges. Joe Carrigan fro...m JHU ISI on recent flaws in antivirus products, our guests are Laura Deimling and Courtney Wandeloski from Down To Staff on interviewing tips for employees and hiring managers. And European police take down the BlackInfinity credential traffickers. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_06.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Facebook reports on the coordinated inauthenticity it took down in April.
A ransomware attack in Taiwan may be state-directed.
Remco's rats are being pushed with targeted
spam. Investigations into
COVID-19's origins continue,
as does medical espionage.
Contact tracing's challenges.
Joe Kerrigan explains recent flaws
in antivirus products.
Our guests are Laura Daimling
and Courtney Wendoloski from Down to Staff,
with interviewing tips for employees and hiring managers.
And European police take down the Black Infinity credential traffickers.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, May 6th, 2020.
Facebook has removed hundreds of disinformation accounts.
Menlo Park's report on coordinated inauthenticity for April
breaks down the countries where the Facebook and Instagram accounts formerly operated.
Georgia leads with almost 1,000 suspect accounts taken down.
They were for the most part associated with domestic political groups.
Russia and Iran showed high levels of state-directed activity directed at foreign
targets. A number of takedowns in the U.S. removed inauthentic accounts associated with
conspiracy theorists at QAnon. Accounts taken down in Mauritania and Myanmar focused on domestic
audiences, and the Myanmar operations were associated with that country's
police. An unfortunate side effect of the global pandemic is that there are a lot of people out
there looking for jobs. The cybersecurity sector, despite having a shortage of qualified workers,
is not immune to this trend. Laura Daimling and Courtney Wondolowski are from staffing organization down to staff.
Well, most companies now are hiring virtually.
That's Laura Daimling. A lot of them are also doing virtual career fairs and virtual hiring events.
So it's 2020.
We have the technology and now companies are really utilizing that.
So there's really no reason to not be able to make those connections.
People are doing Zoom happy hours and Zoom get togethers.
And there are so many different groups that are starting up that are doing these different
sort of virtual events.
So I would say to candidates to take advantage of all of those, especially if you have lost your job
and you do have the time,
take a look on LinkedIn and just join any webinars,
join any little happy hour events
and start connecting and expanding your network.
So even though we're in a situation
where we may have to do it more remotely,
that networking element is still really important.
Yes, I would say it's even more important than ever.
And the networking, it has shifted from networking
with your current small little network
to really expanding your network.
And I would say that's where the emphasis
should be on networking.
It's not just who you know right now,
but it's who can you get to know
is what I think the focus should be on.
Are there any common mistakes that you see people making when they're heading down this path,
when they're taking this journey looking for new work? I think just making sure that
candidates, ensuring that they're prepared for their interviews, especially with stuff being virtually. If you have an interview with a call-in number or a video interview, make sure you have
the software. The software is working. You know, everything is running smoothly before the interview.
The last thing that you want to do is, you know, not be able to get your video interview software
working and the hiring manager has to wait 10 minutes for you to figure it out. So just really being prepared, you know, making sure that
with all of these changes and stuff being more virtual, that you understand the technology, that
you know how to use it, and that you're ready when that opportunity comes up to, you know, look like
you know what you're doing, understand, be professional,
and really impress the hiring team. And another note on that as well is the job market is getting
ready to be flooded with a lot of candidates and a lot of qualified candidates. That's Courtney
Wondolowski. So many people are losing their jobs and there's going to be a lot more people looking for jobs than there have been in the past few years.
You know, unemployment has been really low.
It is not like that anymore.
So I would say being quick to respond could mean getting a job or missing out because another candidate got it. So I think now more than ever, the candidates have been in the driver's seat for many years now, and we're getting ready to see a switch again of where the
companies have a little bit more control in the hiring process. So I would say, you know,
make sure you are very responsive to any calls and emails, because if you're not, somebody else
is going to. That's Laura Daimling and Courtney Wondolowski from Down to Staff.
The chairman of the U.S. Joint Chiefs of Staff, U.S. Army General Mark Milley, yesterday offered
an assessment of where the ongoing U.S. investigation into the origins of COVID-19
stands. As The Hill reports, General Milley told reporters, quote, the weight of the evidence,
nothing's conclusive. The weight of
evidence is that it was natural and not man-made. The second issue is, was it accidentally released?
Did it release naturally into the environment or was it intentional? We don't have conclusive
evidence in any of that, but the weight of evidence is that it was probably not intentional,
end quote. He called upon China to cooperate with international investigators.
So the current state of the question seems to be that the virus was not artificially engineered,
but rather emerged naturally and was not intentionally released.
Whether the outbreak originated in human contact with infected animals
or in an accident at a Wuhan laboratory remains undetermined.
or in an accident at a Wuhan laboratory remains undetermined.
Attempts by state-directed hackers to obtain the results of research into COVID-19,
especially work toward a vaccine, are continuing.
The Week has summary of the password-spraying campaigns that represent the general approach the attackers are taking.
While both U.S. and British services, specifically CISA and the NCSC,
have issued warnings about the threat,
the hostile intelligence services appear to have been especially active in the U.K.
Britain's foreign minister, Dominic Raab, said yesterday that he expects the attacks to continue even after the pandemic subsides.
Quote, there are various objectives and motivations that lie behind these attacks, from fraud on one hand to espionage,
but they tend to be designed to steal bulk personal data, intellectual property, and wider information that supports those aims.
They're often linked with other state actors, and we expect this kind of predatory criminal behavior to continue and to evolve over the coming weeks and months ahead, and we're taking a range of measures to tackle that threat, end quote.
As contact tracing apps begin to roll out,
they face two principal challenges, privacy and efficacy.
Centralized tracing systems, like the one currently being piloted in the UK on the Isle of Wight,
have drawn more concern than decentralized exposure notification systems,
like that developed by Apple and Google.
In the UK, the National Health Service is working to address privacy concerns about its app.
NHS intends to form an ethics board to oversee use of the data it collects,
and The Guardian adds,
NHS is mulling the establishment of a sunset clause
that would lead to deletion of the data once they're no longer needed.
But concerns remain about the security of the information that would be held deletion of the data once they're no longer needed. But concerns remain
about the security of the information that would be held in the central data repository,
however long NHS needs to retain it. India's government has denied that its own contact
tracing system has a vulnerability that exposes the data it collects to compromise.
Outlook India reports that the government evaluated the claims of a French white hat hacker to having found that their system would expose sensitive personal information
the government's answer to the research points out that much of the information the researcher
complained about including certain forms of geolocation were already public and that in
other respects the data were properly secured the second issue is that of efficacy.
Security Week lists various points of skepticism,
especially those that suggest the possibility of high false positive rates.
Forbes discusses a more basic problem.
If, as has generally been the case,
the contact tracing and exposure notification apps
are intended to be installed voluntarily,
and if the system depends upon self-reporting of symptoms or diagnosis,
they'll depend upon widespread public cooperation.
But to be effective, that cooperation needs to extend to about 60% of the population.
Narrowed to smartphone users, who of course are the ones being tracked and notified,
that fraction rises to 80%.
That's about the best market penetration WhatsApp has
achieved during its best years. It seems unlikely that a contact tracing app will quickly beat
WhatsApp with consumers. And finally, Europol has announced that Polish and Swiss police
have taken down the credential-trading Infinity Black gang. Five Polish hackers were arrested, and assets,
including hardware and cryptocurrency wallets worth 100,000 euros, were seized.
Infinity Black operated on both its own site and in other dark web markets, ZDNet reports.
And the gang not only trafficked in credentials, but also in attack tools sold to other criminals.
The gang was well- well organized and segmented.
It seems unlikely the five arrested were the only members.
Calling all sellers. Salesforce is hiring account executives to join us on the cutting edge of technology. Here, innovation isn't a buzzword. It's a way of life. You'll be solving
customer challenges faster with agents, winning with purpose, and showing the world what AI was
meant to be. Let's create the agent-first future together. Head to salesforce.com slash careers
to learn more. Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Thank you. for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And joining me once again is Joe Kerrigan. He's from the Johns Hopkins University Information
Security Institute. Also my co-host over on the Hacking Humans podcast, Joe. Always great to have you back. Hi, Dave.
Interesting article.
This is from Tom's Guide.
Yes.
And it's titled, 28 Antivirus Products Share Nasty Flaw That Can Brick Your PC.
What's going on here, Joe?
It sounds terrifying.
And it actually kind of is.
First off, you need to have access to a machine first before you can do this.
You have to be on the file system and have already penetrated the machine.
So that has to have taken place at some point in time.
But once you've done that, this technique exploits the antivirus process.
And the way that works is antivirus will scan a file that has been downloaded, usually instantaneously.
And then if it finds that file to be malicious, it will go ahead and delete it. But there is a time delay
from when it gets scanned to when it gets deleted. And that's key. So if you use a technique called
either in Windows, it's called directory junctions. And on Linux and Mac, it's called symlinks,
which are essentially just pointers to other parts of the file system.
And you change the file from the malicious file that was detected to a symlink or a directory junction.
Then when the antivirus comes along and deletes that file, it will actually delete files that may be important to the operating system.
delete files that may be important to the operating system.
And you can eliminate portions of the operating system that will essentially make it so your computer will not run, which is what they mean by bricking your computer.
It's not bricked in the sense of like it's destroyed.
You can still reinstall the operating system, but you have to go through that process of
reinstalling the operating system.
Now, this was pretty widespread among a lot of different antivirus programs, right?
Yeah, they said they had 28 that they founded on,
found this vulnerability on.
And that includes some major names in the antivirus world,
like McAfee, Sophos, F-Secure, Kaspersky,
Microsoft, Bitdefender.
A lot of them had this vulnerability.
Right.
And it's really a vulnerability in the process. It lot of them had this vulnerability. Right.
And it's really a vulnerability in the process.
It's not really a software vulnerability in the fact that they're not exploiting anything.
They're not doing anything to the software.
They're doing something around the way the software works, which is a perfectly legitimate way to describe a vulnerability.
You're exploiting something around the process of the software.
Right. So it wasn't like the folks who wrote the code here made a mistake.
This is taking advantage of the way that the operating systems work behind the scenes. Right. And I think the people from RAC 911, that's the company that found this. I think
they would say, this is a coding mistake, but it's not, I wouldn't say
it's a coding mistake. I would say it's a design mistake, right? So earlier on in the process of
building software, that's where you made the error in the design phase.
Now, interesting to note too, that the folks at RAC 9-11, they had some interesting critiques
of the folks who make this software. Yeah, they did. And I'm going to echo this a little bit.
I'm going to read directly from their blog post, which is on RAC911labs.com.
It says, we have been involved in penetration testing for a long time and never imagined our counterparts in the antivirus industry would be so difficult to work with due to constant lack of updates and total disregard in the urgency
of patching the security vulnerabilities. I find that shocking to hear. They started this research
in the fall of 2018, and now they're going public with it here in the spring of 2020, which is
like 18 months. And every single vendor that they contacted has had at least six months to fix
this vulnerability. And at the time of the initial writing of this vulnerability, not everybody had
done it. And down at the bottom, they have an update from April 24th that says almost every
antivirus vendor mentioned in this page now has patched with the exception of a few who will likely have
patches out shortly given the media attention. And then they go on to say the goal of disclosure is
not to name and shame the vendors, but to bring attention to how easy it was to leverage the
antivirus software to become a destructive tool. Okay, I understand that you're saying that, but I want to say it is perfectly fine to name and shame companies like this that are not participating with you actively in a vulnerability disclosure of this magnitude.
This is a big flaw that they found in the systems, and I'm sure they're not the first people to find it. This can be used to destroy a lot of files because of the way symlinks and directory junctions work.
You could use it to stop antivirus updates from happening, right?
Because now when my antivirus downloads an update, I can go out and convince the antivirus to delete its own signatures or delete a portion of its own signatures.
That's a use case.
its own signatures or delete a portion of its own signatures. That's a use case. I can envision an attack on this, that on using this exploit that makes the antivirus less effective by deleting the
signature files that they download. The antivirus may believe it's up to date and may believe it's
using the proper files, but in fact, it's not. It may even cause it to fail. It may cause it to
stop working, in which case now you can run a lot more software on
this computer that you've compromised.
Another thing they've said is that they've received questions about lesser known antiviruses
that were not listed in the report and all were found to be vulnerable.
And the final point that they make, which is actually a very good point, is that this
is probably not something that's limited to antivirus.
This is something that a lot of software, any software that accesses files, should probably take a look at how they access that file and make sure that it can't be exploited by using this symlink or directory junction attack.
All right.
All right. So I suppose the take-home here is if you're using any of these antivirus packages,
make sure that you're up to date and that they've put a proper patch in place.
Yep. Yep. They've just about all patched for it now, which is good.
So go ahead and update. Keep your software up to date at all times.
You know, this is kind of a low likelihood attack, but it's a high impact attack. So I would say it's definitely worth going ahead and updating and making sure that you're updated. All right. Well, Joe Kerrigan,
thanks for joining us. It's my pleasure, Dave.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatL are evolving every second, and staying ahead is more than just a challenge. It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben,
Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.