CyberWire Daily - Telegram recovers from DDoS. Fishwrap campaign breaks old news. Ransomware hits ACSO plants. Congress considers hacking back, again. That ol’ devil limbic system.
Episode Date: June 13, 2019Telegram recovers from a distributed denial-of-service attack. No attribution yet, but all the circumstantial evidence points to the Chinese security services. Operation Fishwrap, conducted by parties... unknown, is an influence campaign that substitutes olds for news. Aircraft component manufacturer ASCO’s production is hit by ransomware. Hacking back is back, in Congress. Why don’t people patch? And a tip on fact-checking. Ben Yelin from UMD CHHS on NYPD cellphone surveillance. Guest is Dave Aitel from Cyxtera on offense oriented security and the INFILTRATE conference. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Telegram recovers from a distributed denial-of-service attack.
Operation Fishwrap, conducted by Parties Unknown,
is an influence campaign that substitutes olds for news.
Aircraft component manufacturer Asco's production is hit by ransomware.
Hacking back is back in Congress.
We wonder why people don't patch.
And a tip on fact-checking.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, June 13, 2019.
Telegram has stabilized its service after sustaining a very large distributed denial-of-service attack, Reuters reports.
The DDoS attack traffic originated largely from Chinese IP addresses,
The DDoS attack traffic originated largely from Chinese IP addresses, and circumstantial evidence points to Chinese government's attempts to disrupt the use of the secure messaging service by protesters in Hong Kong.
According to Bloomberg, controversial legislation that would facilitate extraditions to China proper from the semi-autonomous city
has prompted very widespread street protests in Hong Kong.
has prompted very widespread street protests in Hong Kong.
Recorded Future describes an influence campaign they're calling Fishwrap.
Fishwrap repackages genuine but old news as fresh, breaking news.
It's therefore not really fake, but rather misleading.
The stories themselves don't appear to be altered and even retain their original dates. But a flurry of tweets distributing a story from, say, 2016, gives the old news current impact.
It's very easy to overlook a dateline in a news feed.
You expect something that's breaking to be current.
We note that YouTube's algorithms seem to have inadvertently engaged in a juxtaposition of news that bears at least a family resemblance to Fishwrap.
You will recall that the algorithmically delivered context
YouTube provided to video of the Notre Dame fire in Paris
included links to material about the 9-11 attacks in New York.
Fishwrap makes such mistakes on purpose.
They're intentional tactics.
And Fishwrap generally doesn't violate Platform's
Terms of Service either, even so far as those Terms of Service do seek to draw lines between
truth and falsehood. So far there's no attribution, but the effort that went into the campaign,
and its concentration on politically and socially divisive clickbait, seems to represent a nation
state's systematic adoption of a relatively
obvious but hitherto unusual tactic. A ransomware infestation at one of its Belgian facilities has
disrupted production at aircraft parts manufacturer ASCO. About a thousand workers have been furloughed
indefinitely as plants in Belgium, Germany, Canada, and the U.S. are temporarily closed.
The facility known to be affected is the one located in Zaventim, Belgium. The other production
centers may have been closed as a precaution in an attempt to isolate the infection.
ASCO is based in Belgium but has been owned since last year by the U.S. company Spirit
Aerosystems. It's an important supplier of
components to both commercial and military aircraft companies. Boeing, Lockheed Martin,
and Airbus are all customers. The ransomware was detected last Friday, June 7th, and ASCO has been
releasing information about it slowly and carefully. It has said that it's notified
appropriate law enforcement authorities and that it's brought in security companies to help with forensics and recovery.
The company's sparse public communications contrast with very quick and forthcoming public communication
of Norsk Hydro when it recently sustained a similar attack.
Representatives Tom Graves, a Republican of Georgia, and Josh Gottheimer, a Democrat of New Jersey,
are reintroducing a hack-back bill to the U.S. Congress with bipartisan support.
They're calling it the Active Cyber Defense Certainty Act.
Intelligence and law enforcement agencies remain cool to the idea,
being concerned about the notorious difficulty of attribution.
Some in the security industry are also skittish about the concept of cyber-active defense,
as the proposed bill calls it,
fearing that such laws would tend to induce a crossfire in cyberspace
whose effects would be hard to predict and difficult to control.
Representative Graves told CyberScoop that the bill's language resonates with recent remarks
by U.S. National Security Advisor Bolton,
who earlier this week talked about U.S. intentions of finding greater scope for retaliatory action in cyberspace.
That may be a reach, since arguably Mr. Bolton was talking about an inherently governmental responsibility,
but in fairness, the active Cyber Defense Certainty Act doesn't seem to create the Wild West.
The FBI would be the ones issuing the letters of mark and reprisal here.
Quote, a defender who uses an active cyber defense measure must notify the FBI National Cyber Investigative Joint Task Force
and receive a response from the FBI acknowledging receipt of the notification prior to using the measure.
End quote.
Presumably, acknowledgement of receipt means go ahead and open fire.
As we say, the proposed measure isn't the utterly reckless hack-a-back-and-go-get-em system bandied about a few years ago, but Congress will no doubt want to take a close
look at this one.
Last month, security pros gathered in Miami to attend the Infiltrate Conference, which focuses on offense-oriented security issues.
Dave Itell is chief security technology officer for 6TERRA and one of the organizers of the Infiltrate Conference.
We felt there was a big gap where every time you went to a talk, they would have to tell you about the interesting stuff,
every time you went to a talk, they would have to tell you about the interesting stuff, and then they would apologize for telling you about the interesting stuff and sort of like
pretend as if they didn't want to do offensive work. We sort of took that on ourselves. We're
going to make a high-end conference full of people who understand what exploits are, so it's not for
beginners necessarily, all about the hardcore technical stuff and not about all the marketing
nonsense that's going along with most of the other big conferences. So we do a few things
very differently. One, every talk gets peer reviewed before it goes on stage. You have a
team of technical experts watch every talk and make suggestions. And sometimes the suggestions
are very simple, like please make your fonts so that people can read them.
And then some of them are deep technical sort of concerns with the project or ideas that perhaps the author hadn't thought of. I want to explore something that you mentioned there, which is
this notion of people apologizing for the good stuff. It seems to me like there's a subtext
there, like the offensive stuff is considered to be the good stuff.
But is there a social taboo about talking about it?
There is. There's a huge social taboo for pointing out what we all know, which is that offense is super fun and defense is super boring.
Everyone sort of does this kowtow towards the defensive side at most conferences.
And we just rip all that away so that we can get on with the business
of the interesting technical content at Infiltrate.
Well, give me some of the background here
for folks who might not be familiar
with exactly what's involved on the offensive side.
What's the scope and the range
of what we're talking about here?
It could be anything from how to properly,
automatically attack an active directory network,
which is something Microsoft
research presented on in 2015, and which there was a lot of focus on, and a tool came out of
that research called Bloodhound eventually. And then that, of course, technique is what
WannaCry and NotPetya and all the other worms have been using to sort of rampage around
everyone's networks for the past two years. In a sense, it's about getting ahead.
What is on the horizon? What are some of the things that folks might have presented on that you think are worth mentioning?
We had a lot of phone exploit talks this year. We had a number of talks that sort of looked at how ARM is doing their authenticated pointers and bypassed that sort of defensive mechanism.
So it's always a question when a new mitigation comes out, is it going to be able to be easily
bypassed or is it going to be very difficult to bypass? And I think we've come to the grips of
some of these things being useful in certain circumstances like remote attacks, but not useful
against local attacks on the phones themselves. The telephony attacks were some of my favorite talks,
but we also had talks about the past.
And I think it was interesting to note that the very first talk
was a 20-year-old Solaris local exploit finally being released,
which I thought was really interesting.
Swinging back again to the sort of social taboo,
do you see things shifting?
Are people waking up to a different reality with this?
I mean, I hesitate to say that people are waking up because if you look at the major
companies, they all have a big offensive team.
Microsoft, Google, Amazon, Apple, you name it, they have a giant team of offensive researchers
and they compete very carefully for talent in that space.
And that's one of the things, obviously, that happens at Infiltrate. The taboo, although
it is clearly very evident at most conferences, is something that I don't necessarily think is
holding any of these companies back from investing in space. I mean, our sponsors include every big
name company you can find. That's Dave Itell from 6Terra and the Infiltrate Conference.
Why do enterprises fail to patch known high-consequence vulnerabilities, like Bluekeep?
Avast calls it update inertia. It's all in your heads, IT. Or to be more precise,
it's there in your limbic system, says Avast. The problem with patching is that people tend to regard it as a
high-labor, low-payoff nuisance, awakening with a sense of urgency only when they realize that,
oh wait, all my data are belong to someone else. So work to overcome those tendencies.
Don't make the lizard brain your personal CISO. Finally, returning to how algorithms can steer
us through falsehood and into truth,
I had an interesting experience the other day.
I sometimes need to check pronunciations, and YouTube can be a useful place to do this.
I was seized by a concern that I'd mispronounced TA-505.
I didn't think so, but it was bothering me, so I checked.
A quick search on YouTube brought up a video that was me, so I checked. A quick search on YouTube brought up a video that was me
pronouncing TA-505 on a previous episode of The Cyber Wire. So I'm glad I got that one cleared up.
Here's a fact-checking tip for you all. You want to know if that newspaper story is true?
Go buy another copy of the newspaper to double-check it. And I can't help wondering if I
worked hard on my amazing Australian accent,
could I become the standard in New South Wales?
Look at that, mate, from the cyberwire.
Awful.
Calling all sellers.
Salesforce is hiring account executives
to join us on the cutting edge of technology.
Here, innovation isn't a buzzword. It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like
Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1 thousand dollars off.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your
company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Ben Yellen. He's a senior law and policy analyst at the University
of Maryland Center for Health and Homeland Security. Ben, it's always great to have you back.
We had a story come by.
This is from the website called MuckRock.
And it's an interesting one about the NYPD claiming that they have no records on the Millions March cell phone surveillance.
There's a lot to unpack here.
Help us understand what's going on here. Police Department used surveillance tools to try and track members of these protest groups.
The reason suspicions were raised is because protesters, and particularly the leaders of
the protest, were getting suspicious messages on their devices. The devices were shutting off at
random. There were messages indicating interference. So there were some suspicions raised.
Members of this march, in coordination with the ACLU, tried to use New York's equivalent of the Freedom of Information Act, which in New York is called the Freedom of Information Law, to find out what sort of surveillance techniques, if any, were being used by the police department.
police department first the new york police department used what's called a glomar denial which is basically the i'm not going to confirm nor deny your suspicions i'm simply not going to
give you any information um and they're allowed to do that they are they are allowed to do that
until a court steps in and that's what i say i see uh a court stepped in and uh basically said I see. of the Millions March are going to appeal, it's certainly a major civil liberties concern. If
the New York Police Department was using surveillance techniques like stingray devices,
where law enforcement is able to trick cell phones into identifying their location by posing as cell
site towers, then that gives the users of the cell phone certain legal rights under the Fourth
Amendment. In order to know whether those statutes have been violated or these constitutional principles have been violated,
we need access to that information. So it's certainly disturbing that the police department
doesn't have access of these records. The one good thing is that, from a civil libertarian's
perspective, is that the court ruled against this, what they call the Glomar
invocation, this invocation that we're not going to confirm or deny the existence of these
surveillance tools. The court was very clear that that was not acceptable in this case.
And as a result, that set a precedent for future cases within the New York court system.
So assuming that in the future, records are actually retained as it relates to these surveillance services, at the very least, cell phone users and members of future marches and the like will have this legal opinion as binding precedence.
To be clear here, coming from the NYPD's point of view, I mean, they are under legal obligation to tell the truth here, right?
They can't just say, oh, no, we don't have those records. If they have a box of records sitting behind them and saying, what records? If they
had the records legally, they would have to say so. They absolutely would, especially since it's
now mandated as part of a court order. I'm certainly not in any way suggesting that they
are breaking the law by lying about whether they've retained these records, but it's also
possible that they have been breaking
record retention laws.
If there were evidence that these records were destroyed
prior to this court decision,
there could be legal consequences for the department.
As far as I can see,
and maybe you have a different read of this,
I haven't seen any evidence of that.
So if it was a good faith mistake
and they intended to keep the records,
but for whatever reason, the records were not
retained, then they're not going to be exposed to legal liability. So where do we suspect this
goes from here? As far as we know, at the moment, the highest court to weigh in on this is the New
York Supreme Court, which in New York is actually not the highest court in the land. But we are
really going to be at an impasse if it's true
the New York Police Department didn't actually retain these records. You know, in the one sense,
that's a very dissatisfying answer for the members of this protest, rightly are suspicious of whether
their communications were intercepted, or whether their location was tracked while they were
exercising their First Amendment rights. But on the plus side, we now have this precedent decision saying that the New York Police Department can't issue this
GLOMAR denial if there are allegations that they have been using surveillance techniques.
In the future, according to this precedent, in similar cases, the police department is going
to have to either confirm or deny whether they were using this surveillance technology.
Sometimes groups like the ACLU, the best they can do is solicit an admission that these
surveillance techniques are being used, even if they aren't able to get additional information.
Sometimes simply publicizing the fact that stingray devices are being used or other
intercepting technology is being used,
can be the purpose of some of these lawsuits, just to get it out there in the public mind
that people who are protesting might be insecure in their electronic devices.
All right. Well, Ben Yellen, thanks for joining us.
Thank you.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And that's the CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders
who want to stay abreast of this rapidly evolving field,
sign up for CyberWire Pro.
It'll save you time and keep you informed. Listen for us on your Alexa smart speaker too. The CyberWire
podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're
co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire
team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar,
Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick,
Jennifer Iben, Rick Howard,
Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here
tomorrow. Thank you. and data products platform comes in. With Domo, you can channel AI and data
into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare,
and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com Learn more at ai.domo.com.
That's ai.domo.com.