CyberWire Daily - Warnings about the DPRK’s Kimsuky Group. Election security in the US during the endgame. Section 220 and Big Tech. Another guilty plea in the eBay-related cyberstalking case.
Episode Date: October 28, 2020US authorities warn that North Korea’s Kimsuky APT is out and about and bent on espionage, with a little cryptojacking on the side. As the US elections enter their endgame, observers point out that ...the appearance of hacking can be just as effective for foreign influence operations as the reality. CISA continues to tweet rumor control and election reassurance. Joe Carirgan share developments in end-to-end encryption. Our guest is Bilyana Lilly from RAND on Russia’s strategic messaging on social media (and the disinformation that may be a part of it). Big Tech returns to Capitol Hill. And another guilty plea in the strange case of eBay-related cyberstalking. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/209 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
U.S. authorities warn that North Korea's Kim Suk-hee APT is out and about and bent on espionage, with a little crypto jacking on the side.
As the U.S. elections enter their endgame, observers point out that the appearance of hacking can be just as effective for foreign influence operations as the reality.
CISA continues to tweet rumor control and election reassurance.
Joe Kerrigan shares developments in end-to-end encryption.
Our guest is Biliana Lilly from RAND on Russia's strategic messaging on social media
and the disinformation that may be part of it.
Big Tech returns to Capitol Hill
and another guilty plea
in the strange case of eBay-related cyber-stalking.
From the CyberWire studios at DataTribe,
I'm Dave Bittner with your CyberWire summary for Wednesday, October 28th, 2020.
The U.S. Cybersecurity and Infrastructure Security Agency, the FBI, and U.S. Cyber Command yesterday issued an alert detailing the tactics, techniques, and procedures being used
by North Korea's Kimsookie Group, a cyber espionage operation of that country's hidden cobra outfit.
The Kimsuki APT has been around, the agencies think, since 2012,
and they think spearfishing is the way it typically gains its initial access to its victims.
It also uses waterholing and other social engineering techniques to establish itself.
Kimsuki's collection focuses on individuals and organizations in South Korea,
Japan, and the United States, and the intelligence requirements it seeks to meet involve foreign and national security policy that affect the Korean Peninsula, especially with respect to nuclear
policy and sanctions against the DPRK. The targets are either individual subject matter experts,
think tanks, or South Korean
government agencies. Should you be one of those targets, CISA, the FBI, and Cyber Command's
Cyber National Mission Force recommend that you sharpen your defenses, move to a higher state of
awareness, and up your game with respect to security awareness training and multi-factor
authentication. That's actually good advice to anyone at any time,
but it has particular salience if you're in the crosshairs of the Kimsuki Group.
The operators have in the past posed as South Korean journalists
and initiated contact with their targets under the guise of interview requests.
Most of the initial preparation has been benign
and designed to chum the waters
for the eventual phishing email. The hook has often been baby shark malware. In addition to
its interests in policy, Kim Suk-hee has also shown a characteristically North Korean interest
in theft, as Pyongyang doesn't pass up an opportunity to pull in revenue to redress
its chronic financial woes that international sanctions have induced in the pariah state.
It's not only think tanks and government agencies that get attention,
but cryptocurrency firms and exchanges as well.
And the APT is also known to engage in cryptojacking,
installing coin miners on its victims' systems.
So, Kim Suk-uki's remit extends
to both traditional espionage and apparently to revenue-generating cybercrime. Forewarned is
forearmed. The Wall Street Journal, citing Facebook, says that with respect to election
interference, appearance is more important than reality. You don't have to actually have hacked anything to have an effect as long as people think you did.
The consensus now, for example, is that the Iranian actors who impersonated the Proud Boys
to send out threatening emails earlier this month had no special access to voter databases,
although they said they did.
It was enough that they could make people think they did and that they could associate the Trump campaign
with some discreditable and not particularly plausible threats of violence.
If your goal is just disruption and the creation of doubt or suspicion,
and Tehran seems to have adopted a kind of junior achievement version of Moscow's playbook
with respect to the current U.S. elections,
then you need not
have actually done anything at all. It's disinformation as scareware. CISA Director
Krebs has been tweeting advice and reassurance about election security in the few remaining
days before voting concludes on Tuesday. Among the points he makes is that website defacements,
like the one the Trump campaign briefly sustained,
are just petty larceny noise of very little consequence.
Those defacements, according to TechCrunch, were at the hands of altcoin scammers.
Big Tech begins its latest round of appearances before the U.S. Senate today.
Forbes predicts a lousy day for Facebook's Zuckerberg and Twitter's Dorsey.
At issue in this round is the future of Section 230 of the Communications Decency Act,
a law that gives online platforms the normally inconsistent protections of both a publisher,
who can pick, choose, and moderate content, and a neutral public square, which doesn't.
We're simplifying, but in broad outline, that's what Section 230 does.
Senators are believed likely to express skepticism over online platforms' commitment to operating in a viewpoint-neutral way,
or at least within as viewpoint-neutral a way as consensus deems possible.
From such preliminary versions of their prepared marks, as has become available,
From such preliminary versions of their prepared marks, as has become available,
here's roughly how the two high-profile social media companies are expected to come out of the gate.
Mr. Dorsey is expected to take a hard line against any changes to Section 230,
citing it as an essential protection for Internet speech.
Mr. Zuckerberg is believed to be more flexible, talking about the value of Section 230,
but acknowledging that maybe it could do with some modifications to bring it up to date.
His moderation has already led TechDirt, at least, to sneer at him as a sellout.
There's been another guilty plea in the very strange cyber-stalking case involving people who formerly worked for eBay. Reuters reports that Philip Cook, who'd been
a supervisor of security operations at eBay's European and Asian offices, entered a guilty plea
to conspiracy charges of cyber-stalking and witness tampering. Mr. Cook is among seven defendants
charged in the case involving harassment of a Massachusetts couple whose mom-and-pop online
auction newsletter displeased the eBay brass.
They're alleged to have harassed the couple on Twitter,
had raunchy adult material delivered to their home in discreditable ways,
and to have sent them disturbing packages like a bloody Halloween pig mask.
Why the couple aroused so much ire among eBay's leadership is part of the mystery.
Their newsletters seemed only occasionally and then mildly critical of the online auction giant.
Skins must have been pretty thin around San Jose.
Two more guilty pleas in the case are expected this week.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing the world what AI was meant to be.
Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
Look at this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies,
access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Thank you. published research titled Defending the 2020 U.S. Elections and Beyond, Hunting Russian Trolls on Twitter and Reddit with AI. For the Russian government, this is a part of Russia's strategy
of warfare. And various experts and governments have described this strategy with different terms.
Some have called it political warfare, others have called it hybrid warfare, hostile measures,
the Gerasimov Doctrine, you name it.
But the Russians use a specific term in their doctrine, which is in Russian,
информационное противоборство.
And we don't really have a direct translation in English,
but usually we will translate it as information confrontation or information warfare.
And disinformation in this particular strategy
is a tool of warfare.
And it aims to create chaos among us and divide us.
And in the Russian mindset,
this is a way to coerce a state
and achieve information superiority over the adversary.
And that is why my awesome co-author,
Florentine Alonzo, on this research
and I decided to tackle the topic.
We thought it was important enough to do that.
Now, you're using the term Russian troll here, which, of course, has some baggage.
Does the model specifically, is it able to differentiate just a Russian native attempting to speak in English or can it actually dig deeper
into the content for the specific type of content that content we would describe as being trolling?
Yes, it differentiates between trolls and non-native English speakers, specifically Russian.
Yes, we did our model in several steps and made sure that the model differentiates between actual Russian trolls
and actual Russian speakers who still decide to generate content in English. And we used,
for that, we used several different data sets to train our model. And one of them specifically to
make this distinction between the Russian writing in English and the troll writing in English, is that we use the model of Russians who have written essays in English
and those Russians are native Russian speakers
and they write in English as a second language.
So the model was trained on exactly identifying the linguistic features
that a Russian will likely not get entirely right when writing in English
based on that data set.
And so where do you hope this goes next?
Is this something you're all going to put out in the world?
Are you going to share this?
Oh, absolutely, yes.
We are planning, so what we published right now was a short blog, and we are writing a
more detailed analysis, detailed paper that also describes every step of the process. And we also plan on making our
data set and all the analysis that we run public as well. And we hope that social media companies
could benefit from this. Maybe they're already using some analysis like this or some algorithm
and model like this. But we, as you know, Facebook and Twitter and other social platforms,
when they release information about accounts they have taken down, they don't really usually
tell us exactly how they have identified those accounts. They say that they use technical
indicators, but this is, we don't really know whether maybe they're already applying a model
like this. And maybe that's why when we trained our model on data already released by Twitter,
maybe our model showed such high accuracy and precision
because exactly Twitter used a very similar model
to identify those profiles.
We don't really know for sure.
Yeah, that's fascinating.
I guess I'm looking forward to having a browser plug-in
or something like that that can tell me instantly
who I'm dealing with, whether or not they're a troll or not.
That would be fantastic. I think that would be a step in the right direction. If we could get to that level, that would make me so happy.
That's Biliana Lilly from the Rand Corporation. Thank you. to see how a default-deny approach can keep your company safe and compliant.
And joining me once again is Joe Kerrigan.
He's from the Johns Hopkins University Information Security Institute
and also my co-host over on the Hacking Humans podcast. Hello, Joe. Hi, Dave. Interesting article you
brought to my attention. This was over on the ZDNet website and it's titled, The Encryption
War is on again and this time government has a new strategy written by Steve Ranger. Joe,
another round in the crypto wars.
What's the latest here?
So this is talking about end-to-end encryption,
which is an application that allows me
to send information to you
with nobody in the middle being able to read it.
So we share our keys and then we,
our public keys,
and then we can send each other messages.
And there is no hope of decrypting it,
at least not without finding some vulnerability
or knowing the keys, right?
So it's reasonably secure.
Well, these seven governments,
this is the US, UK, Canada, Australia, New Zealand,
and now India and Japan,
are worried about the use of end-to-end encryption.
And they are trying to persuade big tech companies
to reduce the level of security
that they offer to their customers, according to the article.
And they start off the opening statement, we, the undersigned, support strong encryption.
And they agree that it is important to protecting privacy, data, intellectual property, trade secrets, cybersecurity.
And in repressive states, it protects journalism, human rights, and defenders of other vulnerable people. Then it goes into the caveat that we, quote, we urge the industry
to address serious concerns where encryption is applied in a way that wholly precludes any legal
access to content, right? This is what we call the lawful intercept problem, right?
Right, right.
In other words, I want to be
able to listen in on the conversation as a government person, like I used to be able to do
with phone calls. I could go out and get a wiretap warrant and listen to what bad guys were saying to
each other or what people I thought were bad guys were saying to each other. The issue here is that
these governments are looking for essentially a backdoor.
So let's come up with a theoretical company, Dave.
It's called Joe's Special Encryption Messenger, right?
Okay.
And we'll call it SEM, Special Encryption Messenger, Joe's SEM.
All right.
So let's say that Joe's SEM is an application that I developed that allows people to encrypt their communication end-to-end, but also requires that it is applied with a key that I maintain so that I can, if necessary, read the messages.
Okay?
So first off, let's say that let's look at the problems that it creates.
Number one, let's look at the use case that the government believes will happen.
Let's look at the use case that the government believes will happen.
The people can communicate privately until such a time as the government goes, oh, we think these people are communicating illegal stuff.
And they always talk about the four horsemen of the infopocalypse.
These are software pirates, organized crime, child abuse, image purveyors, and terrorists.
These are what they say.
We need to watch out for these guys because these guys are bad.
And nobody says these guys are good guys, right?
Right.
We're all in agreement.
Right.
All those things are bad.
These are horrible people.
Right, right.
So the government comes to me and says, hey, Joe, we notice that this bad guy is using your communication thing.
Give us the information between this bad guy and this bad guy.
And I can do that, right?
All right. Well, that's fine.
That's a lawful intercept in the U.S.
But what if my messages are being sent or my app is being used in a country like Iran or in a country like North Korea or in a country like maybe even China where they do a lot of surveillance of their people?
And the government comes to me and says, hey, Joe, we notice these guys are participating in illegal activity.
Now, this is not something like software piracy, organized crime, child sexual exploitation images or terrorism.
This is just dissidence.
What we would look at in America as being something that would be perfectly lawful.
How do I know?
Now I have to make the decision of whether or not I want to help this government or that
government. I think that puts an undue burden on me. There's actually no mention in this article
about what kind of protections that these governments are offering to companies in these
countries. That's issue number one. Issue number two is what happens if my key gets loose, right?
This is just another surface area, right?
Another point of attack.
Now, if somebody knows that I have the keys that can decrypt all the communication, I'm going to become a big target.
If they get that information, if they get that key, that private key that encrypts all the traffic, then they're going to have access to it.
Or even if they just get a collection of keys, they're still going to have access to it. Or even if they just get a collection of keys,
they're still going to have access to all the communication. And finally, my other big point is
while I say I might trust the U.S. government now for lawful intercept purposes, that doesn't
necessarily mean I trust them in the future and in perpetuity, right, future-proofing the communication, the security of communication is very important.
And people need to realize that the world is dynamic.
Things change.
Yeah, it's interesting to me that they're still coming at this.
They've added a couple of new countries who've joined in, Japan and India.
Yep.
new countries who've joined in, Japan and India.
Yep.
And so it seems to me like it's almost a PR effort here where they're rather than saying,
and they point this out in the article,
rather than saying do something or else.
Yep, absolutely.
They're saying, hey, rather than us coming up with a solution,
we would really love it if you tech companies
would come up with a solution to this.
Be our pals. Be our friends. Right. It smacks me like they're waiting for something to happen,
and then they're going to say, if only the tech companies had let us see the information,
we could have promoted this. Yeah. Yeah. All right. Well, Joe Kerrigan, thanks for joining us.
My pleasure, Dave. And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro.
It'll save you time and keep you informed.
It's everywhere you want to be.
Listen for us on your Alexa smart speaker, too.
The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Faziri,
Kelsey Bond,
Kim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Vilecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Ivan,
Rick Howard,
Peter Kilby,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Thank you. AI, and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.