The threat intelligence event of the year is just around the corner—Detect '18! Join team ANOMALI and your fellow professionals at the Gaylord National Resort & Convention Center September 19-21, 2018 in National Harbor, Maryland for timely education and training on today’s most compelling, relevant threat intelligence topics, breakout sessions designed for all levels of experience, and insights from compelling customer presentations highlighting real-world threat intelligence big data issues. Register today!
The Week that Was.
September 1, 2018.
By The CyberWire Staff
Twitterbots get political in Sweden.
Automated Twitter accounts have turned up in Sweden, according to a study by that country's defense research establishment. The bots, of unknown provenance, appear to be interested in the election, where they seem likelier to favor the country's third largest party, the Sweden Democrats, whose nationalist and anti-immigrant line appears positioned to make a run at overtaking the opposition Moderate party for second place behind the governing Social Democrats. The bots, wherever they come from, seem to like what's on offer. There's no attribution, yet, but it would be naive to assume that this is grassroots or even domestic activity (AP).
Learn how to achieve one source of truth for risk, compliance & vulnerability management.
Today most organizations are developing applications, either for external customers or to run the business. Either way, you need to make sure secure software is shipped, especially as the cybersecurity landscape is constantly changing in tactics and intensity. Read how IT resilience platform provider Zerto is using the CYBRIC platform to achieve one source of truth for risk, compliance and vulnerability management across its dynamic SaaS environment and making sure it has the right security processes in place for future growth.
Medical device bugs, inherited from the IoT.
Manufacturers of two medical devices, Qualcomm's Life Capsule Datacaptor Terminal Server and Becton Dickinson's Alaris TIVA Syringe Pump, disclosed through ICS-CERT that their devices allow remote unauthenticated access. Fixes are available; hospitals are urged to apply them (Threatpost).
The issues were discovered and disclosed to the manufacturer by the security firm CyberMDx. The Datacaptor Terminal Server is susceptible to an old exploit, the "Misfortune Cookie," which was described in home routers by Check Point back in 2014. The Misfortune Cookie lets an attacker write to device memory without authentication. Datacaptor is a medical device gateway connecting monitors, respirator, anesthesia delivery systems, and infusion pumps to a hospital network. The most disturbing form of possible exploitation would involve altering device functions.
The Becton Dickinson Alaris syringe pump issue, noted by CyberMDx, could also enable an attacker to alter device performance. Hackers could abuse a proprietary protocol to gain unauthenticated access to the device, then start or stop the pump, alter the rate drug delivery, or silence alarms.
Coincidentally, NIST has just warned about the risks of connecting infusion pumps to wireless networks (Health IT Security).
Become a Cyber Spartan and Defend the Gates of America. At Invictus International Consulting we are hiring DevOps, Cloud, Security Engineers, and Cyber Weapons Developers to serve our government and commercial clients. Join us.
A previously unknown Microsoft Windows local privilege escalation zero-day was announced on Twitter late Monday by "SandboxEscaper," whose Twitter account has displayed a mixture of remorse and depression (and we hope, seriously, that SandboxEscaper is OK). CERT/CC quickly verified that the zero-day was real, and that it worked against "a fully-patched 64-bit Windows 10 system." The vulnerability exists in Windows' Task Scheduler and has been given a CVSS score of 6.4—6.8. There are no known workarounds for the vulnerability (ZDNet). It's generally thought that Microsoft will address this issue in its September round of patches, superseding the interim third-party patch 0Patch released this week. The last place you want to find an exploit is GitHub...wait, who owns GitHub, anyway?
Traditional browsers betray you by revealing your identity. Security teams who use a cloud browser manage attribution and can reduce the time spent investigating cases by more than 50%. Instead of wasting time spinning up a VDI, using Tor or connecting to a jumpbox, get online in seconds with Authentic8 Silo, a secure cloud browser and egress from hundreds of points of presence around the world.
Apache Struts exploit now being used in the wild.
Volexity is warning that they've found the Apache Struts remote-code-execution vulnerability patched last week being exploited in the wild. The initial round of exploitation has involved installation of cryptojackers. This isn't a vulnerability people should sleep on. It was a known, unpatched, Apache Struts vulnerability that was at the root of the epic Equifax data breach last year (SecurityWeek).
Get security training from FireEye experts at Cyber Defense Summit.
Training opportunities at CDS offer attendees hands-on, small-group, interactive sessions with some of the world’s foremost experts in cyber security. Whether you’re an expert or just starting out in security, there’s a course designed for you. Register now.
Pretty advanced, and pretty quiet.
"BusyGasper" Android spyware has been quietly active since May 2016, according to Kaspersky Lab. It's a very small but interesting malware variant, found so far in only ten phones, all of them in Russia. It's a keylogger, device sensor, and very much more (SecurityWeek).
Protecting the power grid.
Electrical utilities are investing billions in grid protection; power consumers will inevitably see higher rates, and, it's to be hoped, a more resilient and reliable network (AP).
Five Eyes agree to stare down influence operations, scowl at encryption.
The Five Eyes, as the intelligence services of the US, UK, Australia, Canada, and New Zealand are called in recognition of roughly a century of close cooperation, agreed this week to increase collaboration in cyberspace (Fifth Domain). The official communiqué covered much familiar ground: determination to work against terrorism, cooperation on law enforcement, border security (with an emphasis on fighting human trafficking), a shared commitment to a safe and open Internet, determination to protect children, and so on. From a US point-of-view it looks very much like a Homeland Security and Justice statement.
Four points are worth particular mention. First, the five governments expressed a common determination to share intelligence and resources to thwart foreign influence operations. Second, the governments say their talks this year have focused on "tangible deliverables and practical collaboration." Third, they regret that industry declined their invitation to participate in the discussion, because none of this will work without industry help. And, finally, they're not going to give up the Crypto Wars. They remain concerned that end-to-end encryption makes it too easy for criminals and terrorists to operate with impunity. The discussions produced a joint Statement of Principles on Access to Evidence and Encryption. One concession to the pro-encryption side: "Governments should recognize that the nature of encryption is such that that there will be situations where access to information is not possible, although such situations should be rare."
Twitter will now require "more transparency" of customers who purchase political ads, particularly when they're issue ads dealing with inflammatory issues. The prospective buyers would have to say who they are and establish their identity (Washington Post).
But there's a growing consensus among political operators—actual, overt campaign managers and consultants, not St. Petersburg trolls, but rather machine politicians and get-out-the-vote specialists—that the biggest payoff from divisive messaging is to be had from Facebook, and they're out there vigorously posting and buying (Wall Street Journal). In this case, Americans, recall Pogo Possum's political dictum: "We have met the enemy and he is us."
More instances of the difficulty of content moderation.
Content moderation is difficult even when it's as unaffected by political bias and ideological commitment as such things can ever be. Facebook pulled down a post posted by the Anne Frank Center because it contained a photo of naked, starving children, Holocaust victims and survivors, photographed on the occasion of their liberation by American forces. It wasn't the genocide, but the nudity. Facebook was oblivious to context and therefore content, and interpreted the photo as child pornography. The post has since been restored, with an apology by Facebook (TechCrunch). It would strain a credulous conspiracy theorist to think that Facebook was a nest of Holocaust denial, but objectively (as the Marxists used to say) that's the tendency of this particular bit of content filtering.
It's a tough problem, and it would be idle to pretend that Silicon Valley doesn't face strong cross-currents of official and public opinion. Even as Facebook embarrassed itself by fumbling a Holocaust memorial site, Google was being blasted by the British Foreign Minister for its complicity in distributing abusive images of children (Reuters).
Some of the issues clearly arise when platforms seek to use automated systems to inspect and regulate content. The European Union, which is considering particularly ambitious copyright protection regulations, might consider one music professor's experience with Google's Content ID system on YouTube. It repeatedly flagged copyright violations when he posted classical performances known to be in the public domain. His experience with the algorithms' human servants was unsatisfying, and he never reached better than a partial and unsatisfactory resolution. In any case not only is Papa Hayden long dead, but whatever copyright he held while alive has expired. But try telling that to YouTube (Motherboard).
Tumblr has revised its terms of service to rule out stalking, nonconsensual "creepshots" and deep fakes. We wish them success, however they go about it. For now their approach to curation seems similar to Reddit's (Naked Security). (Fun fact: the US Intelligence Community blogs on Tumblr.)
To return to our algorithmic masters' bluestocking proclivities, there's the still-unsolved Scunthorpe Problem, in which the AI interprets people's perfectly innocent names the way it might if the AI were an unusually low-minded playground monitor (Motherboard). What do they train the AI on these days? Some AI has been less intrusively prudish, but those days seem behind us. Hey, Redmond: tell Tay to come back. All is forgiven. Well, not all, maybe... See? It's tough.
Influence operations' important demographic.
Angry young men are as important to Kremlin influence operators as the 18-to-34-year-old demographic is to consumer product marketing. Fight clubs, motorcycle clubs, and so on are important targets of online and in-person influence (Defense One). Angry young men have been equally important to jihad, as prison radicalization and much online activity suggest (Military.com).
Crime and punishment.
Toronto resident Kevin Curran Schuchman has been hauled before the US Federal District Court in Anchorage, Alaska, (by teleconference; he eventually flew to Anchorage Friday) and charged with two counts of violating the Computed Fraud and Abuse Act by installing malware into non-cooperating systems between August and November of last year. The charging document doesn't name the malware it alleges he installed, but the Daily Beast thinks signs point to the Satori botnet. Mr. Schuchman had been active in various online hacking communities under the nom-de-hack "Nexus Zeta." Check Point researchers noticed Nexus Zeta's chat requests for help in setting up a botnet, and eventually the pseudonym was traced to Mr. Schuchman. Some doubt that he had the technical chops to pull off something like Satori.
US Federal prosecutors are interested in talking to Yevgeniy Nikulin, awaiting trial in California for charges related to his role in a major LinkedIn hack. The Department of Justice thinks he may have played a role in Russian election meddling. A lot of people want to talk to Mr. Nikulin, including the Russian embassy and his own lawyers, but Mr. Nikulin isn't talking, not even, his lawyers complain, to them (Bloomberg).
Convicted Ukrainian carder Ruslan Yeliseyev has been sentenced to six years for trafficking stolen financial information and related offenses (Cyberscoop).
Gamarue, also known as Ar3s or Wauchos, co-architect of the Andromeda botnet, birth name Sergey Yarets, was released from a Belorussian prison on August 9th. He was ordered to pay $5500 in restitution for what he stole with his botnet. Mr. Yarets said he bought the exclusive rights to Andromeda in 2012 from a Russian "genius and alcoholic" whose nom-de-hack is the curiously American-sounding "waahoo." He was the sole proprietor until US and European law enforcement agencies took down the botnet in late November 2017. Mr. Yarets was arrested shortly thereafter.
Contrast Mr. Yarets's punishment with the six years in a US slammer Mr. Yeliseyev just got. Mr. Yarets's swift release makes the sentence seem almost like a letter of recommendation. Opposition Radio Svaboda Belarus said that Yarets's attorney "elaborated that Yarets's extraordinary knowledge should serve the country's interests and that there was no evidence of damage done to Belarusian citizens or organizations because Yarets did not target member countries of the Commonwealth of Independent States" (SecurityWeek). As Recorded Future drily observes, this is another post-Soviet case of a prosecution in the interest of the security and intelligence services: a slap on the wrist and then co-option of the criminals for patriotic work.
In Connecticut, George Garofano received eight months in Federal prison plus three years of supervised release and sixty hours of community service for his role in phishing credentials and then accessing celebrity iCloud accounts. The incident occurred in 2014, and was variously known as "Celebgate" or "the Frappening." Mr. Garofano was mostly interested in saucy photos; he most regrets the "loss of rights" his conviction will entail (AP). He has not so far as anyone knows been recruited to hack for the FBI or any other three-letter agency.
Courts and torts.
NSO Group, well-known for its spyware (or lawful intercept) products, is facing lawsuits from people who allege their devices were compromised by NSO Group during demonstrations conducted during sales calls. The plaintiffs aren't the prospective customers (New York Times).
A new class action lawsuit has been filed on behalf of Canadians affected by last year's Equifax breach (Vancouver Sun).
Policies, procurements, and agency equities.
The US Department of Homeland Security is working to get traction in Congress for a name change. It would like to change the name of the National Programs and Protection Directorate (NPPD) to the "Cybersecurity and Infrastructure Security Agency," which it regards as more accurately descriptive. A bill sponsored by Representative Michael McCaul (Republican of Texas) would do just that, and would also move non-core functions out of the Directorate: the Federal Protective Service and the Office of Biometric and Identity Management would both go elsewhere (Federal News Radio).
The US Department of Defense has revised its JEDI cloud solicitation to, among other things, address industry objections that the competition was wired for Amazon to prime (not Amazon Prime) (FCW). Oracle has filed a supplemental protest against JEDI. The grounds of that protest are unclear, but in general the Pentagon's decision to award the whole contract to a single prime has been the focus of much formal protest so far (Nextgov).
Fortunes of commerce.
Huawei has requested a US Federal Trade Commission hearing to appeal its banishment from US Government networks (Venture Beat). ZTE is conducting a kind of security and good-behavior charm offensive (Light Reading). The company thinks it will return to profitability this quarter after a brush with sanctions that denied access to its US supply chain almost proved lethal (CRN). It hopes customers will think it scared straight. But the two companies may soon find themselves in hot water with another government, Japan's, where Prime Minister Abe is rumored to be thinking hard about whether the Chinese device makers constitute an unacceptable security risk (Light Reading).
US Senator Orrin Hatch (Republican of Utah) has asked the Federal Trade Commission to take another look at Google, which he and others suspect of embedding political bias in its services (Ars Technica).
As demand for cybersecurity talent continues to exceed supply, organizations look to automation (Dark Reading).
Mergers and acquisitions.
Australian managed security provider Tesserent is preparing to acquire Melbourne-based managed services provider Asta Solutions for $3.8 million. Asta is a significant Microsoft partner in the capital region (CRN).
Zscaler has bought a significant piece of Trustpath, a cybersecurity startup whose AI expertise Zscaler hopes to profit from (CRN).
Ohio-based 3SG Plus has acquired endpoint security shop OnGuard Systems (PRNewswire).
Investments and exits.
Andreesen is leading an $8.5 million Series A round for Very Good Security. The San Francisco-based start-up offers secure data warehousing for companies who prefer to transfer the risks of data storage (reputational, regulatory, etc.) to someone else (TechCrunch).
Lacework is expanding its cloud security business with a $24 million Series B round led by Sutter Hill Ventures (SecurityWeek).
Indegy, industrial cybersecurity specialists headquartered in New York with research and development facilities in Tel Aviv, has closed an $18 million Series B round led by Liberty Technology Venture Capital with participation from Centrica plc, O.G. Tech Ventures, and existing investors Shlomo Kramer, Magma Venture Partners, Vertex Ventures and Aspect Ventures (SecurityWeek).
And security innovation.
Amazon is pushing hard to introduce innovative cryptographic security into its products (TechCrunch).
Arlington-based start-up DeepSig is commercializing wireless security technology developed at Virginia Tech's Hume Center (Virginia Tech News).
Today's issue includes events affecting Australia, Canada, China, European Union, Japan, New Zealand, Russia, Sweden, United Kingdom, United States.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.