Experiencing poor performance with your legacy antivirus? Try CB Defense.
Does your legacy antivirus slow down end user endpoints? Try Carbon Black's lightweight, next-generation antivirus + endpoint detection and response solution in your environment for free!
Compare CB Defense to your current solution using real-world scenarios, and see how operations transform across your security and IT teams. After you've finished your 15-day trial, you'll have everything you need to build a business case and make the switch. Gain superior protection, simplified operations, and actionable visibility today.
The Week that Was.
January 12, 2019.
By the CyberWire staff
They apparently got him: #hackerangriff greift nicht an.
A 20-year-old man has been arrested for leaking the private information of around 1,000 German politicians and public figures. German Federal criminal police said he confessed to carrying out the breach because he was frustrated with statements the victims made (BBC). Investigators say the man doesn't pose a flight risk, and he's been released under house arrest. Some think continued cooperation with the authorities will set him up for a lighter sentence (The Guardian).
Bild reported that Germany's BSI security service asked the US National Security Agency for its assistance in getting Twitter to track down and delete tweets and accounts that contained the leaked material. The BSI reportedly told the NSA that some of the victims of the hack were US citizens (Bloomberg).
The case is also an instructive cautionary tale on the hazards of attribution based on a priori probability. Political figures get doxed. Who else but the Russians? They did it to the Americans, didn't they? And weren't they caught with their fingers in Bundestag networks not so long ago? What's likelier? Yes, but actually, it turns out, no. We're reminded of the Mirai botnet, widely believed at the time to have been a Russian cyber shot across the virtual American bow (The CyberWire). But it turned out to be the work of a guy from Rutgers and a couple of his friends, just out to make a bigger buck from Minecraft in-game purchases (US Department of Justice).
Get comprehensive information about securing the DIB supply chain
According to a 2018 Ponemon report, 61% of surveyed organizations have experienced a data breach caused by a third-party vendor. Cyber criminals are targeting Defense Industrial Base (DIB) supply chain vendors in order to gain access to government networks. The latest case study from Attila Security will help identify solutions to keep your organization’s data secure while avoiding disruptions to the DIB supply chain. Download the Vulnerabilities Within The DIB Supply Chain Case Study today.
Israeli election security.
The head of Israel's Shin Bet intelligence service, Nadav Argaman, warned that a foreign country intends to interfere with the country's upcoming elections (Haaretz). Argaman didn't name the foreign country, nor did he elaborate on whom the interference might favor. Shin Bet quickly reassured the public that any attempted influence would be blocked. "The Shin Bet would like to make clear that the state of Israel and the intelligence community have the tools and capabilities to identify, monitor and thwart foreign influence efforts, should there be any," it said. "The Israeli defense apparatus is able to guarantee democratic and free elections are held in Israel" (The State).
Media speculation focused on Russia, which said "it does not intend to intervene in elections in any country in the world" (Haaretz).
Check Point released a study summarizing potential threats, which outlines familiar influence operation tactics seen in a number of Western elections. Check Point intelligence analyst Gal Fenigshtein noted that Israel uses paper ballots, so any technical hacking attempts would likely be focused on gaining information that could be used to influence voters (Haaretz).
Get your copy of the definitive guide to threat intelligence.
We brought together a team of experts and wrote the definitive guide to everything you need to know about threat intelligence. Whether you work in vulnerability management, incident response, or another part of cybersecurity, our book has something for you. Get your free copy of “The Threat Intelligence Handbook” now.
Learning from the Internet Research Agency?
As Special Counsel Mueller's investigation into Russian election influence is widely believed to have entered its endgame (Washington Monthly), a different set of influence operations receives attention.
Facebook is investigating a group LinkedIn co-founder Reid Hoffman funded to see if it violated Facebook rules. The group, News for Democracy, established at least fourteen misleading news pages in the run-up to the 2018 US midterm elections (CNET). These pages were directed at conservatives, with names like "The Holy Tribune" and "Our Flag Our Country." Once the pages had gained an audience, the group would subtly run political ads with Democratic messages. While the ads themselves revealed that they were paid for by News for Democracy, Facebook users had no way of knowing that this group was also operating the pages (The Telegraph).
Benjamin T. Decker, a research fellow at Harvard's Shorenstein Center on Media, Politics and Public Policy, told the Washington Post that "people start to trust the content emanating from the page, because it appeals to their interests, and once there is a certain degree of trust, you can start to pivot by slowly adding in kernels of disinformation or overly politicized information that lacks context."
Another group, American Engagement Technologies (AET) received $750,000 from Hoffman, some of which was used to fund false-flag operations against Republican candidate Roy Moore (CNET). The New York Times reported that one effort involved a fake movement to ban alcohol, intended presumably to alienate drinking voters.
The campaign extended beyond Alabama, with cultivation of voters in Texas and Tennessee too. Hoffman has said he regrets his involvement and wouldn't have funded the operations if he'd understood what they were up to (Verge). Facebook has already suspended several accounts involved in the campaign. "People connecting with [pages] shouldn't be misled about who's behind them," Facebook spokesman told the Washington Post, “Just as we’ve stepped up our enforcement of coordinated inauthentic behavior and financially motivated spam over the past year, we’ll continue improving so people can get more information about the pages they follow.”
Companies Need Skilled Cybersecurity Talent Now - Join Cybrary
Everyone knows the cybersecurity field is in desperate need of talent, and Cybrary has built the world’s fastest growing free training platform for cyber and I.T. career development. Cybrary offers courses taught by industry leading experts, unlimited virtual labs, practice exams, live mentors, and job ready curriculums to support you in reaching your career potential. Cybrary’s talent network is filled with companies and recruiters actively seeking cyber professionals to fill roles open now. Join Cybrary Insider Pro for 30% OFF using discount code CYBERWIRE30.
Cyber cold war (they say).
Several observers think the United States and China are engaged in a new cold war, carried out significantly in cyberspace. A piece in Foreign Policy, says the US Department of Defense "considers China, with its nimble ability as a rising technological power—unencumbered by America’s own glacial bureaucratic oversight—to catch up and perhaps surpass the United States in 5G networks and digital battle systems." Kaplan says that trade tensions between the two countries are "merely accompaniments" to military rivalry under the surface.
Defense One outlined the ways in which technology production appears to be headed into "distinct spheres of influence." Consider Western suspicion of Huawei and ZTE. "Chinese telecoms are rapidly developing competing technologies, benefit from government support in roll out and implementation of 5G services, and often offer their products at prices twenty to thirty percent cheaper than their competitors. The challenge for Washington is to create an environment that supports innovation at home and a shared approach to 5G security with its friends and allies."
SecurityWeek sees China taking a long-term approach to cyberwar, aiming at economic supremacy and pursuing it with some stealth. "The policy is not one of direct confrontation but more designed to slowly maneuver the global economy until dominance shifts from the U.S. to China."
Visualize Your Network Like the Most Infamous Hackers
Cyber threats are becoming more frequent and targeted. Bad actors are more adept at social engineering and investigating your network and infrastructure to understand your organization’s cyber strengths and weaknesses. This webinar delves into a robust threat model capable of repelling the world's most sophisticated hackers and nation-state actors. Join us for an introduction to ScoutThreat™, a threat management platform that helps analysts streamline threat analysis work and extract the maximum value from threat intelligence.
Vietnam says Facebook has violated its new cybersecurity law by allowing users and pages to post anti-government comments. Vietnam's Ministry of Information and Communication told the state-run media that "Facebook had reportedly not responded to a request to remove fanpages provoking activities against the state" (The Straits Times). The ministry also complained of failure to delete “slanderous” content and comments containing “defamation of individuals and organisations.”
Facebook told TechCrunch, “We have a clear process for governments to report illegal content to us, and we review all these requests against our terms of service and local law. We are transparent about the content restrictions we make in accordance with local law in our Transparency Report.”
The law—which numerous Western media outlets call "draconian"—requires international tech companies to adhere to Vietnam's strict censorship laws (Naked Security). Internet companies are also required to establish local offices so Vietnamese authorities can have access to their data upon request. In November, Vietnam's information ministry announced that it wanted half of social media users in the country to be using domestic social networks by 2020 (Reuters).
Vietnam's policy resemble China's, where there are sweeping measures to control the Internet within its borders. China has apparently succeeded in getting LinkedIn to require all users with a Chinese IP address to link their phone numbers to their accounts in order to use the service (TechCrunch). A LinkedIn China spokesperson told TechCrunch that "the real-name verification process for our LinkedIn China members is a legal requirement, which will also help improve the authenticity and credibility of online accounts."
A LinkedIn note for Chinese users states that "if you choose to change or delete your confirmed mobile number your ability to access our Services in certain countries (e.g. China) will be blocked until you once again confirm your identity" (TechCrunch).
Oversharing apps and Facebook.
Privacy International concluded that 61% of the apps it tested were sharing usage data with Facebook, even if users didn't have a Facebook account. While SDK data isn't very interesting on its own, the report points out that, "if combined, event data such as 'App installed,' 'SDK Initialized,' and 'Deactivate app' from different apps also offer a detailed insight into the app usage behavior of hundreds of millions of people."
The report adds that the apps themselves "can paint a fine-grained and intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion." It's not clear what the information was used for, but Privacy International believes the data collection may have violated GDPR.
Bloomberg reported Tuesday that certain Android phones developed by Samsung are unable to delete the Facebook app. The phones only give their users the option to "disable" the app. This is apparently due to "various pre-install deals Facebook has made with phone manufacturers, operating systems and mobile operators around the world over the years."
Mobile companies and geolocation.
Motherboard reported Tuesday that T-Mobile, Sprint, and AT&T are selling customers' location data through a complex chain of transactions across multiple third parties. The data wind up in the hands of a "dizzying number of sectors," with some of it sold on the black market. Motherboard gave a phone number to a bounty hunter, who was able to pinpoint the phone's location to within a few blocks. The bounty hunter was apparently able to obtain the data from a broker, MicroBilt. "T-Mobile shares location data with an aggregator called Zumigo, which shares information with MicroBilt," Motherboard said. "MicroBilt shared that data with a customer using its mobile phone tracking product. The bounty hunter then shared this information with a bail industry source, who shared it with Motherboard."
All the companies involved, including MicroBilt, say they aren't aware of data being used in an illegitimate way. Last year, all four major carriers changed their policies after news broke that a prison telecom company was offering a service that allowed law enforcement officers to locate almost any phone in the US within seconds (Ars Technica). Several senators are calling for an FCC investigation (Motherboard).
Google has patched more than two dozen security flaws for Android, including a critical remote code execution vulnerability (SecurityWeek).
Microsoft patched seven critical vulnerabilities, the most dangerous of which is a DHCP flaw that could allow remote code execution (The Daily Swig).
Adobe's January 2019 updates include important patches for Adobe Connect and Adobe Digital Editions, but none for Flash Player (BleepingComputer).
Crime and punishment.
Russian Deputy Foreign Minister Sergei Ryabkov said that it's too early to discuss a prisoner swap involving US citizen Paul Whelan because Whelan hasn't yet been officially charged with espionage (Radio Free Europe/Radio Liberty).
POLITICO says Kaspersky Lab tipped off the US National Security Agency that someone at Fort Meade was acting fishy. Some direct messages on Twitter to Kaspersky raised suspicion at the security company. Their tip apparently led to the FBI raid on Mr. Martin's house (Axios).
Courts and torts.
A US district judge dismissed a lawsuit brought against Apple over the Meltdown and Spectre vulnerabilities in its products' ARM-based processors. The plaintiffs held that the iOS 11.2.2 update slowed down its products more than the company would admit, but the judge said the plaintiffs' case was "premised on a self-serving and selective reading of [the] Defendant's test results"(AppleInsider).
The Weather Channel faces a lawsuit by the city of Los Angeles alleging that it misled users about how it used location data its app collected. The lawsuit alleges that The Weather Channel "has deceptively used its Weather Channel App to amass its users’ private, personal geolocation data – tracking minute details about its users’ locations throughout the day and night, all the while leading users to believe that their data will only be used to provide them with ‘personalized local weather data, alerts and forecasts'” (ThreatPost).
Policies, procurements, and agency equities.
US senators Mark Warner and Marco Rubio introduced a bipartisan bill that would establish a new federal office tasked with combating foreign threats to US technology, particularly supply-chain vulnerabilities and trade secret theft. Both senators made it clear that they had China in mind while drafting the bill (The Hill).
The National Counterintelligence and Security Center (NCSC) has warned businesses to be aware of cyber espionage from foreign intelligence services. "Make no mistake: American companies are squarely in the crosshairs of well-financed nation-state actors who are routinely breaching private-sector networks, stealing proprietary data and compromising supply chains,” said NCSC Director William Evanina (Washington Times).
Fortunes of commerce.
The US Government shutdown may be biting government contractors. Aerospace and defense firms, including those providing security services, are feeling the pinch (Washington Post).
The shutdown also affects civil servants. While they're expected to receive back pay when the government opens back up (Vox), some observers are concerned about the long-term impact on agencies' recruitment abilities. Byron Callan, an analyst for Capital Alpha Partners, told Defense News that "there might be near-term collateral damage if people leave government service, but a 1-3 year factor to consider is how this shutdown and the potential for future ones accelerates reliance on federal service contractors."
Deloitte thinks the general digital skills gap is narrowing. The company's Digital Disruption Index shows that 60% of executives are confident in their own digital skills, up from 45% in a survey six months ago. Additionally, 18% of digital leaders believe that new graduates have sufficient digital skills and experience, up from 12% in the previous survey (Information Age).
The huge US security clearance backlog shows some signs of easing, due to Congress shifting some responsibility to the Pentagon. The total number of unclosed investigations has fallen from 700,000 to 600,000 over the past year, and that number is falling by 3,000-4,000 per week. An executive order is pending that could speed up this process even more by shifting all of the Office of Personnel Management's staff and resources involved in clearance activities to the Pentagon's Defense Security Service (Forbes).
British cybersecurity company Sophos has bought Avid Secure, a startup that focuses on cloud security (ZDNet).
Investments and exits.
Montreal-based TrakTik has raised $45 million which it intends to use to boost its artificial-intelligence capabilities (Montreal Gazette).
And security innovation.
The NSA will release a free software reverse engineering tool to the public at RSA this March (Computer Business Review).
IIoT and industrial control system (ICS) security firm CyberX been awarded a threat-monitoring patent (Power Magazine). The patent covers "covers unique methods and systems for learning ICS network behavior and accurately identifying anomalous activities."
Today's issue includes events affecting Canada, China, Germany, Israel, Russia, United Kingdom, United States, and Vietnam.
ON THE PODCAST
Research Saturday is up. In this edition, "Magecart payment card skimming analysis," we hear how researchers at RiskIQ have been tracking a series of web-based credit card skimmers known as Magecart. We take a closer look at attacks on Ticketmaster, British Airways, NewEgg and Shopper Approved payment card pages. Yonathan Klijnsma is lead of threat research at RiskIQ, and he guides us through what they've learned.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.