In today’s podcast we hear about Russian reports of an APT active against military, scientific, defense, and government networks. US investigations into the hacks of the DNC, DCCC, and Clinton campaign continue, with suspicion still directed at Russia. ISIS calls online for an extension of jihad to Russia. The SpyNote Android Trojan is out in the criminal underground. Researchers report vulnerabilities associated with WhatsApp and SwiftKey. And we share some security advice from Level 3's Dale Drew for those attending Black Hat.
Dave Bittner: [00:00:03:16] Russia says it's been hacked and it's being careful with attribution. US investigation of hacking into Democratic Party assets continues with most observers still seeing a Russian hand behind the incidents. ISIS issues fresh calls for Jihad. The SpyNote Android Trojan seems poised for an outbreak. Vulnerabilities affecting users of SwiftKey and WhatsApp are reported. And some advice for those attending Black Hat.
Dave Bittner: [00:00:33:03] Time to take a moment to tell you about our sponsor, Cylance. Are you looking for something beyond legacy security applications? If you are (and who isn't?) you're probably interested in something that protects you at machine speed, and that recognizes malware for what it is, no matter how the bad guys have tweaked the binaries or cloaked their malice in the appearance of innocence. Cylance knows malware by its DNA, their solution scales easily and it protects your network with minimal updates, less burden on your system resources, and limited impact on your network and your users. Find out how Cylance is revolutionizing security with artificial intelligence and machine learning, and it maybe artificial intelligence but it's real protection. Visit cylance.com to learn more about the next generation of anti-malware. And if you're at Black Hat this year, drop by booth 1124 and chat with the Cylance people. Cylance, artificial intelligence, real threat prevention. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:01:36:04] I'm Dave Bittner in Baltimore with your CyberWire summary for Monday, August 1st, 2016.
Dave Bittner: [00:01:42:01] Over the weekend Russia’s FSB reported that some 20 organizations in that country had been afflicted by sophisticated advanced persistent threats. Many reports are calling the incidents attacks on critical infrastructure. But in this case “infrastructure” seems to be used loosely to describe any network regarded as important. The affected enterprises are said to include “scientific and military institutions, defense contractors and public authorities.” And the hacking appears to aim at espionage as opposed to disruption or destruction.
Dave Bittner: [00:02:13:07] Russian sources decline to attribute the incident, but suggest the responsible actors are both sophisticated and capable. Kaspersky Labs is investigating, and it, too, declines to offer attribution, although it describes whoever’s responsible as “a powerful cyber gang.”
Dave Bittner: [00:02:29:10] It’s difficult to read the reports without seeing a not-so-veiled tu quoque aimed in the general direction of Washington, or perhaps more precisely in the general direction of Langley and Fort Meade. Recent weeks have been dominated by news of election-related hacking of Democratic Party sites in the US, including the Clinton campaign, the Democratic National Committee and the Democratic Congressional Campaign Committee. The consensus that these attacks were the work of Russia’s FSB and GRU has been growing, and has been accompanied by increasingly sharp calls for retaliation, recognition that we’re in a cyber war, etc. So refusing the easy temptation of quick attribution to the US is telling, there may be some example setting going on here. The prim Russian coyness about attributing the incidents stands in contrast to much coverage in the US media, who have been quick to see the hacks as evidence that someone, usually specified as NSA, is doing something. It’s worth remembering that such attribution is for now, however much it might appear to be likely, a matter of speculation on the grounds of a priori probability.
Dave Bittner: [00:03:34:11] We note that Russia Today, a reliable conduit of the Putinist view of things, quotes US Director of National Intelligence, Clapper, with approval when he advises everyone to “stop hyperventilating” until we know more about the election season hacks in the US. Investigation is in the hands of the FBI and may be expected to proceed at the usual deliberate speed of law enforcement. Concern over the Russian hacks of the Democratic Party, forgive the hyperventilation we’re just noting the consensus, it isn’t limited to US figures.
Dave Bittner: [00:04:04:21] A British general has pointed out that such activities may represent a new normal in 21st Century hybrid conflict. General Sir Richard Barrons called for a civilian reserve, what the Times of London calls “a part-time army of geeks,” that could be made available to respond to comparable threats to the UK. This proposal for a kind of cyber Dad’s Army has had echoes in other countries’ plans for various kinds of cyber reserves, that could draw upon civilian security talent at need. In the US, for example, there are ongoing Congressional discussions of expanding the role of the National Guard in cyber defense.
Dave Bittner: [00:04:41:00] WikiLeaks, Julian Assange, declined yesterday to say whence he received the DNC documents WikiLeaks has made public, essentially refusing to burn his sources. If those sources are in fact Russian security organs, their motivation remains an open question. The likeliest motive may be the general goal of eroding confidence in US political institutions, as opposed to supporting any particular electoral outcome. But the observers who are commenting are at this point engaging in speculation.
Dave Bittner: [00:05:10:14] French Police investigate alleged accomplices in the church attack near Rouen, suggesting that the ISIS killers were not so much lone wolves as members of a local pack that heard the howling from Syria. Two persons are said to be the subject of the inquiry, so far.
Dave Bittner: [00:05:25:12] Over the weekend ISIS called upon its followers to bring jihad to Russia. The call was issued in the form of a YouTube video, with partial authentication coming through the video’s distribution via known ISIS Telegram accounts.
Dave Bittner: [00:05:38:22] There are a variety of small but interesting developments in cybercrime to report. Some of Conficker’s old command and control infrastructure, thought to have been out-of-commission, has begun to turn up in current criminal campaigns.
Dave Bittner: [00:05:51:23] The code for the SpyNote Android Trojan has leaked to the underground market. Observers expect it to appear in attacks soon. SpyNote is capable of installing a backdoor in an infected device.
Dave Bittner: [00:06:04:04] SwiftKey’s typing predictions may be leaky, and the vendor has moved to suspend that function.
Dave Bittner: [00:06:10:12] Deleted WhatsApp messages are said to persist in the cloud, where they could be susceptible to interception.
Dave Bittner: [00:06:18:11] Finally, Black Hat is underway. The training sessions that began over the weekend continue today. Tomorrow, the conference features the CISO summit, and Wednesday and Thursday will be devoted to workshops, presentations and sponsored sessions. We'll be offering some perspective from the event as the week goes on. And we trust that our stringers are being properly careful at Black Hat. If you’re attending, you should be careful, too. This conference is always a bit wild in terms of the security challenges it presents. And we needn’t even describe the challenges presented by the concurrently running, but independent, DEF CON. Suffice it to say that Black Hat is sometimes called DEF CON’s grown-up counterpart. We spoke to Dale Drew from Level 3 about some Black Hat do’s and don’ts. We'll hear from him after the break.
Dave Bittner: [00:07:02:21] So stay safe out there and hat goes on in Vegas doesn't necessarily stay in Vegas, you know. And follow any Pokemon with due caution.
Dave Bittner: [00:07:15:11] Time to take a moment to thank our sponsor, E8 Security. You know, to handle the unknown, unknown threats, you need the right analytics to see them coming. Consider the insider threat and remember, that an insider threat isn't necessarily a malicious actor. Sometimes it's a well-intentioned person who's careless, compromised, or just poorly trained.
Dave Bittner: [00:07:32:13] Did you know you can learn user behavior and score a user's risk. E8 can show you how. Did you know for example that multiple Kerberos tickets granted to a single user is a tip off to a compromise. E8 can show you why. Get the white paper at e8security.com/dhr and get started.
Dave Bittner: [00:07:49:24] And if you're at Black Hat this week, check out E8's great t-shirt scavenger hunt. The details are on their website.
Dave Bittner: [00:07:55:24] Detect, hunt, respond. E8 Security. And we thank E8 for sponsoring our show.
Dave Bittner: [00:08:08:03] And joining me once again is Dale Drew, he's the Chief Security Officer at Level 3 Communications. Dale, a lot of people are gearing up to head out to the Black Hat conference. You've got some tips and some precautions for folks who might be heading out to the show?
Dale Drew: [00:08:22:09] I do. Black Hat is not your typical security conference, it is not for the faint of heart from a security perspective. The sort of precautions that I would recommend or things that help people protect themselves when they're in an environment that is just awash with very technical people who are experimenting on new technology at that venue and that event.
Dale Drew: [00:08:50:24] We've seen situations where conference-goers are creating their own wireless hotspots, with the same name as the legitimate conference names. So people get connected to "the bad guy" hot spot rather than the legitimate hot spot. Bad guys then intercept all that traffic, they inject malware in the middle of that traffic, and then can take over a computer and then produce research results.
Dale Drew: [00:09:18:02] We've even seen bad guys or conference-goers create cell phone towers, that are used to intercept cell phone traffic and, again, get access to the data or inject payloads into the data for the purposes of gaining access to passwords, or getting access to the end device itself. So, a lot of caution is advised when you go to Black Hat. We really recommend a few things.
Dale Drew: [00:09:49:05] We recommend that if you're going to be taking electronic gear, make sure that your laptops and your phones are wiped of any personal or confidential data. In fact, we really recommend just wiping the system from scratch and reinstalling the operating system and going with a blank machine. And in that way, when you come back you can wipe that machine again in the event that there's been any malicious code that may have been deposited on that system.
Dale Drew: [00:10:16:03] We recommend you changing your passwords. If you're there and you are surfing web pages or online banking or any of that, any personal or professional business use, we recommend changing your passwords before you go to the conference and then changing your passwords when you return back from the conference. Again, in the event your passwords may have been intercepted or collected and, therefore, used against you.
Dale Drew: [00:10:42:13] We recommend trying not to use the conference wireless because you really don't know what wireless infrastructure you are connecting to. And try to use a cell phone hotspot, either your cell phone itself or bring like a MiFi. We would really recommend disabling Bluetooth on your devices because Bluetooth can not only be intercepted, it can be used as a vehicle to intercept traffic.
Dale Drew: [00:11:06:22] Just a few to round this out here, we recommend bringing a NFC or near-field communications blocker for things like your credit cards. People have built devices at these conferences where they just have to get fairly close to your wallet or your purse, and they can read the data off of your credit card, including your credit card number, your expiration data and your security code. So if you take a NFC blocker, you'll block access to those sort of readers while you're walking around the conference floor.
Dale Drew: [00:11:37:07] And then last but not least, you know, do not accept USB drives at conferences like this. You do not know what'll be on the drive. Those are a primary method of delivering bad content to your computer. And when you're withdrawing money out of an ATM at a conference, check the ATM to make sure that there isn't a skimmer on the ATM itself.
Dale Drew: [00:11:59:11] Those are really the main sort of takeaways that we have that have really contributed to people losing access to personal information or losing access to professional assets.
Dave Bittner: [00:12:11:12] Alright, so Black Hat not your average tech conference so extra precautions are in order.
Dale Drew: [00:12:17:21] Absolutely.
Dave Bittner: [00:12:18:18] Alright, Dale Drew, thanks for joining us.
Dave Bittner: [00:12:23:03] And that's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible.
Dave Bittner: [00:12:33:00] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Our social media editor is Jennifer Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
DETECT. HUNT. RESPOND. Your data + security analytics will help you prevent your next security incident. Find out how. E8 Security.