CyberWire Daily - Tensions over Salisbury nerve agent attack remain high. BranchScope raises concerns about side-channel attacks. Facebook data scandal updates. Atlanta and Baltimore recover from hacks.
Episode Date: March 28, 2018In today's podcast, we hear that tensions continue to rise between Russia and other, mostly Western, countries as the number of nations taking diplomatic measures to protest the Salisbury attack excee...ds twenty-five. Western governments are on alert for Russian cyber operations as well as diplomatic reprisals. A new bug, BranchScope, is found affecting Intel processors. The Facebook data scandal continues. Atlanta and Baltimore recover from hacks of municipal systems. Dr. Charles Clancy from the Hume Center at VA Tech, discussing the security of analog devices in cyber physical systems. Guest is Liv Rowley from Flashpoint on Dark Web refund fraud. And don't be gulled by bogus job offers. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
Tensions continue to rise between Russia and other mostly Western countries
as the number of nations taking diplomatic measures to protest the Salisbury attack exceeds 25.
Western governments are on alert for Russian cyber operations as well as diplomatic reprisals.
A new bug called Branch Scope is found affecting Intel processors.
The Facebook data scandal continues.
Atlanta and Baltimore recover from hacks of municipal systems.
And don't be fooled by bogus job offers.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, March 28, 2018.
The tally of countries taking diplomatic action against Russia
for what U.S. Defense Secretary Mattis aptly called attempted murder in Salisbury has now risen above 25.
The U.S. expulsion of 60 diplomats accredited to Russia's Washington embassy and United Nations delegation is the largest ever such expulsion ordered by an American administration.
Nothing in the Cold War, for example, came close.
A number of observers have poo-pooed,
showing diplomats the door as an ineffectual response
that doesn't really hit President Putin and his regime where it hurts.
They recommend harder financial sanctions, for example,
like suspending Russian banks' access to the swift international funds transfer system.
While it's doubtless true that oligarchs care a lot about their net worth and its liquidity, Russian banks access to the swift international funds transfer system.
While it's doubtless true that oligarchs care a lot about their net worth and its liquidity,
the degree of odium and isolation Russia is experiencing can't be comfortable, especially during a time when domestic outrage is rising over Sunday's disastrous fire that destroyed
a shopping mall in the Siberian city of Kemerovo, killing at least 64 people, 41 of them children.
The high death toll is attributed to official negligence and corruption,
disabled alarms, locked exits, and so forth,
and there have been protests in Russia.
Another downside is the striking degree of intelligence sharing
that's taken place in the West over the Salisbury attack.
The Times of Israel is particularly struck by what it calls an unprecedented degree of openness
on the part of British intelligence. Such collaboration isn't good news for Russia.
For its part, Russia's foreign ministry has denounced the diplomatic reprisals as
senseless and boorish, and promise that Russia will itself take some action in
response. What that action will be is expected to include, as a minimum, Russia's own declaration
of foreign diplomatic personnel persona non grata. More worrisome is the prospect of offensive
Russian cyber operations. For weeks, officials and security experts in a number of countries,
but notably in the UK and the US,
have warned the vulnerability of electrical power grids to cyber attack and of Russian preparations to conduct such an attack.
When such exchanges in cyberspace might become an act of war remains unclear,
but it's unsettling to say the least that this question is now being widely asked.
There are all sorts of illicit products and services for sale on the deep and dark web.
Liv Rowley is an intelligence analyst at Flashpoint, and she recently authored a research report
titled Refund Fraud and Fake Receipts Proliferate on the Deep and Dark Web.
She joins us to share her findings.
LIV ROWLEY, Probably about a year ago, we started hearing from some industry partners
that they were really being impacted by refund fraud,
which is just when somebody orders something online typically
and then they pretend that there was an issue with the shipment of the product
in order to get a refund of the product.
So they get the actual product in the mail and then they get that refund as well.
So we started looking into it and we were seeing it all over, you know, a handful of communities
in the deep and dark web where people were actually selling their ability to con customer
service representatives in order to get these refunds. I see. So walk us through here. What
exactly did you discover? How does this work? So what we discovered is, well,
there are definitely people doing this on their own just to defraud companies and get their own
pair of sneakers. We found that there's a handful of, we're calling them refund fraud vendors.
They actually offer their abilities to secure these fraudulent refunds for their clients.
So if you would be interested in using one of these refund fraud vendors, you
might buy, say, a laptop online. And then after you get the delivery of the laptop, you'll go to
one of these vendors and say, hey, I got this laptop, but I don't want to pay for it. I want
a refund. And you pretty much hand over all the details of that shipment, when you bought it,
what the name on the account is, all that to this vendor. And then the vendor calls up their customer service, makes up whatever excuse,
you know, they feel will get the job done. And then the client of that, you know, illicit vendor
gets a refund, a full refund, and they pay a small percentage, normally about 10%
to the person who helped them get that
refund. So it's a super interesting scam because people are essentially contracting out social
engineering. And so on the retailer side, are people just taking advantage of retailers wanting
to provide good customer service? That's what a lot of it is. Absolutely. A lot of times these
retailers will even push back. Cyber criminals will talk about how, you know, the retailer will say, well, that's,
you know, not our problem. That might be a problem with a shipping company. And they will keep
pushing, keep pushing, keep pushing until they do eventually get these refunds. Interesting. It
strikes me, too, that, you know, in an age of, you know, where I get a text message when, you know,
UPS delivers something from Amazon, there's a paper trail on these things.
I guess an electronic paper trail.
And it would strike me that that would make this sort of thing more difficult.
But your research seems to show that they can still do it.
Yeah, it really just comes down to, I mean, there are a variety of excuses that these fraudsters are employing when talking to customer service
representatives. But a lot of it is just them very convincingly lying to these people who are
giving them refunds. We'll even see some of them will say, hey, even if you signed for the package,
I can get you a refund, which to me is absolutely remarkable.
Is there any sign that the retailers are getting wise to this and pushing back?
They're definitely aware of it. And different retailers have been employing different
countermeasures. Signing is a big one. A lot of people won't be so bold as to ask for a refund,
even when they've signed for it. But also, we've seen some retailers have rolled out
weighing packages throughout transit.
Sometimes what these fraudsters will say is that they got their package, but there was just nothing in it.
Or maybe they got two of the four items that they ordered, and that's the excuse that they'll use to get a refund.
So when you are weighing this package at each step, you can say, well, there's no way that that box was empty because we weighed it and there was a weight to it and it aligns with the product. So there are different things that are being done to try to combat this
type of fraud. The last interesting thing that I would have to say about this is the fact that
you also have people sharing evidence of either the products that they were able to acquire
or an email stating that they did get a refund and they're
sharing this information openly. So that's one of the reasons that we can be pretty sure that this
fraud is indeed happening and that these vendors of these fraudulent refund services are actually
doing what they say they're doing because people take a screenshot of an email that they got
saying, okay, hey, you know, we're sorry about your package, here's an $800 refund,
and they'll post that on these deep and dark web forums
to help boost the credibility of the vendor.
So that's very interesting to actually see that evidence that this is happening.
That's Liv Rowley from Flashpoint.
You can read the complete report,
Refund Fraud and Fake Receipts Proliferate on the Deep and Dark Web,
on the Flashpoint website. it's in the blog section.
University researchers have found a new vulnerability affecting Intel chips.
This one, called Branch Scope, involves a susceptibility to side-channel attacks.
Intel has been working on the issue and thinks the bug probably amounts to no big deal.
working on the issue and thinks the bug probably amounts to no big deal.
In industry news, TALIS continues to move forward with its plan to acquire all of Gemalto's stock,
and Gemalto's board is commending the deal to shareholders.
The period during which Gemalto shareholders can take TALIS up on its offer run from today through June 6.
Canadian advertising and software development firm AggregateIQ has denied connections with Cambridge Analytica
as well as involvement in the ongoing data scandal.
But code found by UpGuard in an exposed AggregateIQ database
suggests there may be some connection.
In the code was a string RIPON,
which is the name of a Cambridge Analytica platform,
and also the username SCL, the name of Cambridge Analytica's corporate parent.
The findings are small and circumstantial,
but also interesting in the light of Cambridge Analytica whistleblower Christopher Wiley's testimony in the UK
that Aggregate IQ was involved in US campaign operations.
For its part, Facebook is putting its money where its mouth is
with respect to its take that the data scandal is essentially an app scandal
and a third-party app scandal at that.
It's offering researchers bug bounties for finding and reporting apps
that collect and misuse data.
Details on the bounty program will be made available
as Facebook firms them up over the coming weeks.
The expanded bug bounty is only one element of the company's damage control.
To review, Facebook initially responded by pausing all third-party application reviews on its platform
until it could apply changes to app permissions that would impede future episodes of data misuse.
permissions that would impede future episodes of data misuse.
The company also said that it would have its engineers manually review any app that requested access to a user's friends list.
As a minimum, that review would determine whether the app was actually using the data
within itself, as opposed to just scraping it up for other purposes.
The company also intends to look into apps that could access data before Facebook's 2014 changes to the platform that were intended to reduce such access.
Facebook also intends to sunset apps.
If you've installed an app and haven't used it for three months, Facebook will turn off that app's access to data.
Any app developers found to abuse data will no longer be welcomed by Facebook.
And of course, the company says it intends to notify users affected by data abuse. Any app developers found to abuse data will no longer be welcomed by Facebook,
and of course the company says it intends to notify users affected by data abuse.
Such moves of reform and repentance have their limits, however.
CEO Mark Zuckerberg has declined Westminster's request that he come to London and testify before a parliamentary inquiry into fake news.
Members of Parliament affect shock at his demural.
Two large U.S. cities have been affected by hackers over the past two weeks.
Atlanta is just now beginning to recover from the SamSam ransomware infestation
that induced the city to take many of its employees and services offline last week.
Advice against paying ransom still holds,
but Atlanta's experience shows that recovery can be far from painless. Atlanta's brought in a lot of help. A partial list includes
SecureWorks, the FBI, the U.S. Department of Homeland Security, including the Secret Service,
and response teams from Microsoft and Cisco. The other city is Baltimore, whose 911 dispatch system was hacked Sunday morning.
The city's emergency responders switched to manual operation
until the computers were brought back online by 2 o'clock Monday morning.
The mayor says it's back to normal now.
Finally, an interesting scam has been reported
in which criminals have impersonated executives and even board members from the large U.S. federal contractor CSRA to hoodwink applicants for
jobs into handing over information better kept to themselves, like credentials and other personal
data. The approach starts with an email from a Gmail account and then an interview in which
the scammer uses the name of a real executive. They often follow up by sending the victim what looks like a check,
the better to harvest financial information.
CSRA isn't the only company whose good name is being abused,
and we note that this involves no compromise on CSRA's part.
The company and most of its peers post How We Hire notes on its corporate website.
Do consult them before you respond to a Gmail contact from anyone claiming to be a hiring manager.
Sure, you want the job, but slow it down and be safe.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
And I'm pleased to welcome back to the show Dr. Charles Clancy.
He's the director of the Hume Center for National Security and Technology at Virginia Tech.
Dr. Clancy, welcome back.
Great to be here. So an interesting topic you wanted to discuss today, some analog security of cyber-physical systems.
What do we need to know about this?
So a cyber-physical system is any sort of system that involves both a cyber component and a physical component, as the name might imply.
So you could think of a home automation system or a connected vehicle, for example, as an example of a cyber-physical system.
And one of the interesting properties of a cyber-physical system is that they have sensors that measure the environment around them.
The readings from
that sensor goes to some sort of control logic that then makes decisions and from there takes
action. So you think of a self-driving car, for example, it has cameras and radars and other
sensors that it uses to then make decisions. Those decisions then impact things like steering and
acceleration. So it's this interesting convergence of the cyber
world and the physical world and has a unique set of cybersecurity challenges. And so take us
through what are some of those challenges? Well, first is that oftentimes these sensors can be
spoofed. There's been some interesting research coming out of the University of Michigan for the
last few years showing that attackers can,
for example, send acoustic waves or high energy RF signals that will inductively couple into some of
these circuits and cause false readings. And if false measurement data gets processed by these
control algorithms, wrong decisions get made. And that can potentially be a major safety problem.
Another example of some interesting research that's going on here at Virginia Tech by one
of my colleagues, Dr. Ryan Gerdes, is actually looking at the actuators. So the things that
change, motors and servos, things of that nature. So he has a paper coming up in the next couple
of weeks at a major security conference that shows that you can use a magnetic wave
to cause a motor to turn in a controllable way. So for example, he can actually take control of
a UAV by using these magnetic waves to directly control the motors, which is really interesting
because there's really no cyber defense against that because it's not anything that affects any of the digital control logic in the system. Yeah. So is this a matter of having
systems in place to recognize these anomalies when they happen? Definitely. So that's one of the key
countermeasures. Most of these systems are designed to be resilient in the face of some sort of
failure or fault or noise. But none of them anticipate that there is a
malicious element that's causing these particular failure modes. So the research agenda that we have
at Virginia Tech is looking at how you can begin to build these cyber physical control systems
and have them presume the presence of a malicious actor as part of the decision making logic.
Interesting work. Dr. Charles Clancy, welcome back and thanks for joining us.
Thanks a lot.
Cyber threats are evolving every second and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. Thank you. run smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Vaughn, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jenniferben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.