In today’s podcast, we hear about some Spy vs. Spy at Citizen Lab, but who the spies were working for isn’t clear. Ukraine’s cyber police accuse Russia of phishing for election influence. As Fortuna’s wheel turns, Russian bigwigs get doxed by transparency hacktivists. Great power tension over Venezuela bears watching in cyberspace. Alleged swatters indicted and arrested. Happy National Privacy Day. Emily Wilson from Terbium Labs on “fullz” records of children being sold on the dark web. Guest is Sean Lyngaas from CyberScoop with his insights on the DNS hijacking threat.
Dave Bittner: [00:00:03] It's "Spy vs. Spy" at Citizen Lab, but who the spies were working for isn't clear. Ukraine's cyber police accuse Russia of phishing for election influence. As Fortuna's wheel turns, Russian bigwigs get doxed by transparency hacktivists. Great power tension over Venezuela bears watching in cyberspace. Alleged swatters have been indicted and arrested. And happy National Privacy Day.
Dave Bittner: [00:00:34] Time to take a moment to tell you about our sponsor Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. So sign up for the Cyber Daily email, where every day, you'll receive the top trending indicators Recorded Future captures crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:47] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 28, 2019. Citizen Lab reports that two of its researchers have been approached by people expressing an interest in them as individuals and then in their work on commercial intercept tools, specifically, those produced by the NSO group. The lab, based at the University of Toronto, had been investigating the possible use - presumably by the Saudi government - of NSO group tools against the subsequently murdered opposition figure and columnist Jamal Khashoggi. Citizen Lab stresses they have no evidence the NSO group was involved in approaching its researchers. And NSO group says it had nothing to do with it. The people who made the approach represented themselves as socially conscious investors associated with FlameTech and CPW-Consulting, both of which, the AP concluded after investigation, appear to be bogus.
Dave Bittner: [00:02:46] Their fraudulence extended to such familiar social engineering techniques as using stock images of people to serve as pictures of the purported company's executives. Note that FlameTech is all one word and not to be confused with, for example, the similarly named legitimate welding equipment vendor. That company uses two words. There are also legitimate and innocent outfits with names like CPW Consulting. The bogus front operation uses a hyphen in its name. The lab worked with the AP to let a face-to-face meeting between one staff member and the individual who contacted him play out. Citizen Lab says the approach was similar to one that private security firms use. And the AP is put in mind of the kind of private eyes they say Harvey Weinstein favored in his alleged attempts to silence the women he importuned. There may well be similarities to private security techniques. But we should also note a similarity to the way an espionage service might seek to compromise and recruit an agent.
Dave Bittner: [00:03:50] Ars Technica calls the techniques the people from FlameTech and CPW-Consulting used comically inept. And there is, indeed, a touch of the comic book, the movie, the TV show about them, especially if one thinks back to the early vogue for spy thrillers the James Bond flicks prompted back in the day. But don't get cocky, kids. This may have been "Man From U.N.C.L.E." stuff. But it didn't sink to "Get Smart" levels of hilarious implausibility. People, and not even unusually incautious or dopey people, have fallen for less sophisticated scams in the past. Recall that a lot of people who should've known better - did know better - swallowed the Robin Sage catfish demonstration hook, line and sinker. Do note that the approach involved attempts to cultivate personal connections, find apparent common interests and so on. The hoods do seem to have rushed their game a bit. But sometimes, a rushed approach works.
Dave Bittner: [00:04:45] At any rate, it's sad to say but true - if a stranger pops up with whom you seem to have a lot in common and who seems to have taken an interest in you, be on your guard. Sure, it could be a headhunter or a potential investor. But it could be someone else, too. And if they begin to ask you to perform small, innocent good deeds for them - a copy of a phone directory, perhaps, or an agreement to email a friend of theirs with some advice on study abroad programs - well, run for the exit. And tell your security officer.
Dave Bittner: [00:05:17] The U.S. Department of Homeland Security recently put out an emergency directive concerning the secure management of DNS records across the federal government. Sean Lyngaas is a senior reporter for CyberScoop. And he's been following the story.
Sean Lyngaas: [00:05:31] This story began because private researchers released warnings in recent weeks and months that there was a broad set of malicious activity related to domain name systems occurring in different parts of the world. Researchers from Cisco Talos, which is the threat intelligence unit of Cisco, released research in November warning about such a campaign that targeted, in this case, Lebanese and United Arab Emirates government websites. And then in January, researchers from cybersecurity company FireEye also put out research outlining how this type of attack was unfolding against a broader set of targets also. With that body of research, the Department of Homeland Security grew concerned that U.S. federal civilian agencies were vulnerable to this type of attack. And, indeed, according to our reporting, at least six agencies have been affected by so-called malicious Domain Name System tampering. And that's why the department decided to issue its first-ever emergency order to agencies to fix this problem. And that was under authority granted to the department in 2015 by Congress.
Dave Bittner: [00:06:47] And so what is the threat here? The manipulation of the DNS records, what could that result in?
Sean Lyngaas: [00:06:54] It could result in malicious traffic - in the most basic case, malicious traffic being directed at users, so tricking a computer user in the government when they're trying to visit a website that they trust, redirecting them to somewhere else where their computer could be infected. And my understanding - it's also - could be a conduit for other more sophisticated attacks, hence the concern of basic - this kind of malicious activity gets to the root of how records are kept on the internet and websites are verified. So in that sense, it's kind of a core-level issue that has to be dealt with.
Dave Bittner: [00:07:33] And what is in the emergency directive? What are they requiring the agencies do?
Sean Lyngaas: [00:07:38] Well, it's a series of steps, including doing something that a lot of cybersecurity experts are always - tell users to do, which is to use multifactor authentication when managing DNS-related accounts - Domain Name System accounts - so requiring a backup log-in method in order to access those accounts. And it's unclear how many agencies are not doing that now. But again, that's one of the requirements. And then another requirement is to compare certificate logs, so going in, making sure that all that matches up the way it should be because according to some of the research - the private sector research that I mentioned, the attackers have been going after those certificates as a means of compromising systems. So those are two things. And other measures include auditing DNS records. It's all being asked to be carried out within 10 business days. And that's - the clock is already ticking. You know, DHS - I've seen some praise from private-sector cybersecurity executives saying, way to be clear in outlining the challenge and the coordination. I think they want to get this as being seen as an example of good coordination between top-level researchers and the department, which has invested a lot in bringing in cybersecurity talent in the last couple of years.
Dave Bittner: [00:09:05] That's Sean Lyngaas from CyberScoop. You can follow his ongoing reporting on the DHS emergency directive on the CyberScoop website.
Dave Bittner: [00:09:16] Ukraine's cyber police say they're seeing an upsurge in Russian phishing aimed at disrupting upcoming elections. Russia says it's never done anything of the kind anywhere to anyone. Transparency activists at the organization calling themselves Distributed Denial of Secrets have released a very large set of documents produced by prominent Russians - politicians, oligarchs, journalists and religious leaders - The New York Times and others report. The size of the dump is said to be 175 gigabytes called The Dark Side of the Kremlin. The content the group posted is intended to be seen as discreditable as, no doubt, much of it is.
Dave Bittner: [00:09:57] Distributed Denial of Secrets is described by the Rappler as a kind of WikiLeaks rival. But their selectivity with respect to what they release is thought to be less finicky than that shown by the house of Assange. The New York Times, for example, reports that WikiLeaks had declined to publish the documents on the grounds that it, quote, "rejects all submissions that it cannot verify," end quote. It also rejects material it finds insignificant. But WikiLeaks didn't say which category included the Russian documents. The Daily Beast quotes Nicholas Weaver, a researcher at the University of California at Berkeley's International Computer Science Institute, on WikiLeaks' practices. Weaver said, quote, "a lot of what Wikileaks will do is organize and republish information that's appeared elsewhere. They've never done that with anything out of Russia," end quote. Much of what Distributed Denial of Secrets has released with The Dark Side of the Kremlin appears to originate with hacktivist groups like Shaltai Boltai, the Ukrainian Cyber Alliance and CyberHunta.
Dave Bittner: [00:11:01] Russia and China have joined to block a U.S.-sponsored attempt to gain U.N. recognition of Juan Guaido as Venezuela's acting president. Reuters also reports the presence of deniable Russian military contractors in Venezuela guarding Chavisto incumbent Nicolas Maduro, declared illegitimate by the National Assembly. Expect hybrid operations to accompany the tension.
Dave Bittner: [00:11:26] And finally, today is National Privacy Day. Unisys shared a snapshot of American attitudes toward online privacy with us. Their results suggest the circumstances in which American adults would prefer to keep things to themselves. Among the top concerns are apps and devices that share behavioral, geolocation or health data. Here's a quick summary of Unisys' conclusions. Forty-two percent don't want their health insurance providers to track their fitness activity via wearable monitors to determine premiums or reward behavior. Thirty-eight percent don't want police accessing data from their wearable fitness monitor at their discretion to determine if they were at a given location at a certain time. Thirty-four percent don't want medical devices such as pacemakers or blood sugar sensors to immediately transmit any significant changes to their doctor. Twenty-four percent don't want an emergency button on their smartphone or smartwatch to send their location to police if they need help. And 21 percent don't want an app on their smartwatch from their bank or credit card company to make payments from their watch. So on National Privacy Day, keep it to yourself, all right?
Dave Bittner: [00:12:39] Now a moment to tell you about our sponsor ObserveIt. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. In fact, a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIt, you don't have to. See; most security tools only analyze computer, network or system data. But to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIt combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? Try ObserveIt for free - no installation required. Go to observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIt for sponsoring our show.
Dave Bittner: [00:13:47] And joining me once again is Emily Wilson. She's the VP of research at Terbium Labs. Emily, great to have you back. You and I have talked about this notion of fullz - with a Z - these records online. And there's some fullz having to do with kids that have come to your attention recently. What are we talking about here today?
Emily Wilson: [00:14:05] As you mentioned, we've talked about fullz before.
Dave Bittner: [00:14:07] Yeah.
Emily Wilson: [00:14:07] And your listeners may recall that these are - these fullz stand for full ID packs - basically, full personal information kits. And for an adult, that would be something like payment card, name, address, maybe username and password for an account, mother's maiden name, answers to security questions - the digital equivalent of someone stealing your wallet with all of your information inside. In this case, though, we're talking about kid fullz, so this is child data. A few weeks ago now in late December, we discovered a series of listings across some of the major dark web markets, where one vendor was selling kid fullz. These are children's. They have less information in the system but name, address, phone number and Social Security number for kids.
Dave Bittner: [00:14:54] And what's the appeal of this?
Emily Wilson: [00:14:56] There are a few different ways people can use this. One of the most common ways we're hearing now, of course, is synthetic IDs, where you're creating a synthetic identity using information for children, people who aren't in the credit system yet, people who aren't going to notice something on their credit report - at least not for another 10 or 15 years. You might use it for a child tax credit. Child information has a couple of unique benefits. One - it's truly fresh data, which is hard to come by in a system where information's being compromised all the time.
Dave Bittner: [00:15:28] Right.
Emily Wilson: [00:15:28] This is information that is fresh because it didn't exist two months ago, right? When you're using infant data or baby's data, they weren't alive a few months ago, in most cases. So it's brand new to the system. And two, as I mentioned with the credit report, no one's checking on this. No one is monitoring their kid's credit. No one's freezing their kid's credit. If you're listening to this, stop what you're doing right now and freeze...
Dave Bittner: [00:15:51] (Laughter).
Emily Wilson: [00:15:51] ...Your kid's credit.
Dave Bittner: [00:15:53] Is there any notion for how the folks are vacuuming these up? How do they get them en masse?
Emily Wilson: [00:16:01] So it's an interesting question because when we think about child data, particularly for young children or babies, the number of possible sources is relatively small. If you're an adult, you can be breached from one of hundreds of different points. But for babies, really, we're talking about hospitals and government records and, maybe when they get a little bit older, child care or educational system. In this case, the vendor says explicitly that these are from pediatricians' offices or health care networks. And they have other data up for sale that says that they recently breached a major hospital.
Dave Bittner: [00:16:33] And so if you're a parent, how do you protect your kids against this sort of thing?
Emily Wilson: [00:16:38] Well, first, recognize that your children are open to data compromise just as much as adults are. You know, these records are specifically listed as belonging to children. But any other hospital records that may have been breached or educational records that might have been breached, child information is getting caught up there. So recognize that they are also at risk, that we're not just talking about adults. And then the other thing you can do, which, really, is the only other thing you can do as an adult as well, is to freeze your credit. Monitor your credit. You know, people are using this information because they want to monetize it. So nip that in the bud the only way you can.
Emily Wilson: [00:17:13] To, you know, add insult to injury, a few years ago now, the Social Security Administration changed the way they were issuing Social Security numbers, which means that instead of following that familiar pattern that we all know where you have sort of the group code and the area code and this followed a predictable set, now these numbers are randomized, which means that it's harder to tell if a number is belonging to someone who's two weeks old, if a number belongs to someone who's 22 years old or if the number hasn't been issued yet because it checks out.
Dave Bittner: [00:17:47] All right. Well, it's interesting information - something, certainly, as a parent, to keep an eye on. Emily Wilson, thanks for joining us. And that's the CyberWire.
Dave Bittner: [00:18:00] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIt, the leading insider threat management platform. Learn more at observeit.com. Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security, Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:18:40] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2018 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Get trending information on hackers, exploits, and vulnerabilities every day for FREE with the Recorded Future Cyber Daily. Sign up now.
ObserveIT is the leading Insider Threat Management solution with approximately 1,700 customers across 87 countries. ObserveIT is the only solution that empowers security teams to detect insider threats, streamline the investigation process, and prevent data exfiltration. Start your free trial of ObserveIT today.