Ripple20 flaws in the IoT supply chain. Operation In(ter)ception looks for intelligence, and cash, too. Sino-Indian tensions. A look at Secondary Infektion. How not to influence reviewers.
Dave Bittner: Ripple20 vulnerabilities are reported in the IoT software supply chain. North Korean operators go for intelligence, but also for cash, and they're phishing in LinkedIn's pond. Sino Indian tensions find expression in cyberspace. A long look at the Russian influence operation Secondary Infektion. Al-Qaeda is back and asking its adherents to consider e-jihad. Joe Carrigan from Johns Hopkins University Information Security Institute on why older adults share more misinformation online. Our guest, Will LaSala from OneSpan, tracks the increase in online banking fraud during COVID-19. And the strange case of the bloggers who angered eBay may have more indictments on the way.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, June 17, 2020.
Dave Bittner: The Israeli security firm JSOF reports the discovery of 19 zero-days, collectively called Ripple20, that afflict the Internet of Things software supply chain. They're flaws in software that handles the TCP/IP protocol, and the low-level TCP/IP library that contains them has been out since the late 1990s. Treck, the company that developed the code in question, has fixed its products, but as WIRED observes, that software is at the beginning of a long and complicated supply chain through which vulnerabilities propagate in difficult-to-control ways. The research team says that, quote, "affected vendors range from one-person boutique shops to Fortune 500 multinational corporations, including HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, Baxter, as well as many other major international vendors suspected of being vulnerable in medical, transportation, industrial control, enterprise, energy, telecom, retail and commerce and other industries," end quote.
Dave Bittner: The US Cybersecurity and Infrastructure Security Agency, CISA, looked at the bugs and rated six of them as scoring between seven and 10 on the CVSS scale, where 10 is the most severe. CISA recommended that users take steps to minimize the risk of exploitation, including placing vulnerable devices behind firewalls and removing connections to the public internet. Such mitigations may be easier recommended than accomplished. JSOF began quietly disclosing the vulnerabilities to vendors back in February, and many of them have already been patched. But IoT devices are notoriously easy to overlook and, in any case, a lot of the buggy code may still be undetected.
Dave Bittner: The security company ESET describes a North Korean campaign of targeted attacks against European defense and aerospace companies. They call it Operation In(ter)ception, and it has two purposes - espionage and financially motivated business email compromise. Pyongyang's operators start with LinkedIn, proffering meretricious job offers to workers at selected companies. They seek to develop relationships into sources of information. They also, in some cases, work to compromise their email accounts in order to induce companies to fall for fraudulent fund transfer requests. This is consistent both with North Korea's intelligence requirements and its chronic need for cash.
Dave Bittner: Border skirmishes with China have moved India's government to a higher state of alert, both kinetic and cyber, the Economic Times reports. The Hindustan Times outlines one aspect of that alert - publication of the National Security Council Secretariat's list of 52 apps it finds too close to the Chinese government for comfort. Some of the apps are well known and widely used. Zoom and TikTok, to name two, are both on the list. India's intelligence services would ideally like to see the 52 suspect apps blocked.
Dave Bittner: Graphika has published a new study of Secondary Infektion, the Russian disinformation operation. The report concludes that Secondary Infektion has been in continuous operation since 2014 and that it's run by a single unidentified controlling agency and that it's been relatively quiet, at least compared to the noisier operations of the GRU and the troll-farming Internet Research Agency. Graphika gives the operation high marks for security, which can be attributed in part to Secondary Infektion's tendency to prefer short-lived, often single-post blogs, single-use burners to social media, where coordinated inauthenticity would be easier to spot.
Dave Bittner: But it's not clear how effective the operation has been. Its posts have a record of low engagement rates. They made unusually heavy use of forged documents, and their linguistic capabilities have been uneven, to say the least. The French, German and English they use are poor and marked by the usual stigmata of a nonnative speaker with roots in a Slavic language - poor grasp of the idiomatic use of articles, uncertainty about case, especially the genitive, eccentric word order and, in French and German, trouble handling grammatical gender. Think of the diction one finds in an easily recognized phishing attempt. With respect to English at least, the Kremlin has linguists who could do much better. Secondary Infektion's stuff reads like bad North Korean agitprop. It's not even the playfully mangled language of the old Shadow Brokers, with a wink and a nudge. The Brokers always achieved a wacky kind of lyricism that any fair-minded person would appreciate. This stuff is just poorly executed.
Dave Bittner: Here's an example. An attack against the Atlantic Council's Digital Forensics Research Lab, which outed Secondary Infektion last year - quote, "yes, the forensic experts were wrong about almost everything, but they thought the existence and spread of a different opinion from their employees was a serious threat. And devil take it, that tickles my pride," end quote. Devil take it, indeed. And if we may say so, the Atlantic Council's DFRLab should wear that as a badge of honor.
Dave Bittner: In any case, Graphika finds nine themes that have dominated Secondary Infektion's output since its inception - Ukraine as a failed or unreliable state, US and NATO aggression or interference in other countries, European divisions and weakness, elections, especially in the United States, United Kingdom and France, migration and Islam, Russia's doping scandals in various sports competitions, Turkey as an aggressive, destabilizing power, defending Russia and its government and insulting Kremlin critics, including Alexei Navalny and Angela Merkel. These are often supported with implausible forgeries. Many of the topics suggest that Secondary Infektion's work was, if not directed toward, at least imaginatively dominated by a Russian domestic audience.
Dave Bittner: Secondary Infektion is not, as several headlines have suggested, a newly discovered operation, as Graphika explains. Facebook flagged the operation as coordinated inauthentic behavior in May 2019, although not under the Secondary Infektion name, and the Atlantic Council described and named it last June. So what's new in Graphika's report? It's the extensive catalog of Secondary Infektion's works. And reading through them teaches, again, the lesson that OPSEC by itself isn't enough for efficacy. We may not know which subdirectorate in which Russian service ran these messages, but how much does that really matter in the long run? Again, Moscow has groups like Fancy Bear and the Internet Research Agency who've shown they can do much better. Graphika does have one quietly interesting suggestion. Looking at the very low engagement rates Secondary Infektion's output produced, they suggest that maybe the operators were paid for output, not reach. So as a famous Russian thought leader once remarked, quantity has a quality all its own. And we'll add that in this case, the quality was pretty bad.
Dave Bittner: It's well-known that the folks out there who are up to no good online have taken the COVID-19 crisis as an opportunity, using the uncertainty as a way to take advantage of the unprepared or unprotected. Will LaSala is director of security solutions at OneSpan, where they've been tracking an increase in online banking fraud during COVID-19.
Will LaSala: So I think the main thing that you see with the pandemic - so before the pandemic, fraud was kind of steadily rising. People were starting to make the change gradually to digitalization - in other words, using digital processes. You know, you were getting to a point where there were some people that were remote, that kind of thing. But then the pandemic started, and it was a mad rush for everybody to kind of embrace the digital world that we live in, none more so than the banking industry.
Dave Bittner: Yeah. I mean, I guess I hadn't really considered that, you know, in this age of online banking and slinging money around via our mobile devices that there are still a lot of functions of day-to-day banking that traditionally, and I guess to this day, have taken place face-to-face.
Will LaSala: Yeah, exactly. I mean, think about - so the older generation. So, you know, I think I'm probably an older generation person, too. But the people even older than us, they, you know, typically do their banking kind of in a face-to-face aspect. So they're still writing paper checks. They're still going, you know, into the branch offices and were interacting with tellers. So all of a sudden, they can't do that anymore. What do they do? So they're not going to gravitate to a mobile phone like the younger generation did. They're going to pick up the phone and call call centers, and so call centers were completely overrun. And not just that, but think about the hackers now. So if you've got everybody calling in there and you're a hacker and you impersonate someone else, how do you prove that user? And so you saw all kinds of fraud on some of these more traditional channels that you wouldn't even think of normally.
Dave Bittner: Are you tracking any differences between the size of the institutions? I guess I'm wondering does that local community bank have any advantage by being nimble, or does the big, you know, nationwide bank have the advantage of having so many resources behind them?
Will LaSala: You know, it's interesting. So the smaller banks are actually having a harder time of it because a lot of the times, they are more of, you know, a friendly bank, so you want to go in and transact with them. They do most of their business in person versus online, whereas a big bank, most stuff is done online.
Will LaSala: We also have to think internally - the employees of those banks. When they needed to do work, the small banks, they immediately - everybody started working from home. Pretty much, you know, 90%, 95% of the people that were employed at the banks started working from home, versus the large banks, it was exactly the opposite. So maybe only about 10% or 15% of the bank worked from home, and the rest of the bank was still in the offices, still kind of going from there. And that also had to do with how quickly they can get security components in place, so moving to mobile authenticators that could generate a mobile password and getting those out to the workforce. That was also a big, kind of shocking difference between the small and big banks.
Dave Bittner: That's Will LaSala from OneSpan.
Dave Bittner: And finally, indictments in the case of the former eBayers, the people who allegedly executed a campaign of harassment against two bloggers whose negative reviews and the comments those reviews attracted vexed some numeros at the online marketplace, may not be complete. Apparently, the six people so far indicted may not be the last. The U.S. attorney prosecuting told CBS News that the investigation was active and ongoing.
Dave Bittner: Are there lessons here? Yes, indeed. Some of them are platitudes. You catch more flies with sugar than vinegar, for example - or in this case, with pig masks, porn or live cockroaches. Corporate communications, PR consultants, corporate counsels and security teams could all learn a great deal from this strange story.
Dave Bittner: And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: Hi, Dave.
Dave Bittner: Interesting story came by from the MIT Technology Review, and it's titled "Older Users Share More Misinformation. Your Guest Why Might Be Wrong." What's going on here, Joe?
Joe Carrigan: That's right. This is actually research from a postdoc at Harvard named Nadia Brashier. And Dr. Brashier has done some work here and found out that there are some stereotypes about older people as to why they might share more misinformation on social media. Now, they do share more misinformation. That's pretty clear. But the reason why - people might say it's because they are suffering some kind of cognitive decline because they're older, and they might be lonely. Those are the two reasons that people seem to think that older people might do this, but they are not valid reasons as to why this is happening, according to Dr. Brashier's research. And what she said was that recollection will decline with age, but our ability to process and understand information remains the same as we get older. And in general, knowledge improves, which is one of the things that we've talked about before, both on "Hacking Humans" and I think here on this show, is that older people are actually less likely to fall for a scam than younger people are, probably because of their experience with the world. They don't forget...
Dave Bittner: Their cynical approach - they've been burned before (laughter).
Joe Carrigan: Right, yeah. And, yeah, they just know, oh, this is BS. I'm not falling for this. But...
Dave Bittner: Yeah, yeah.
Joe Carrigan: ...It's not because of a decline in cognitive abilities at all. It's - that's really not what's happening. And the other reason is loneliness. Older adults are not the loneliest age group. In fact, it's a complex relationship, according to another paper that she cites in her paper that says it kind of fluctuates across time, peaking in the late 20s, mid-50s and late 80s. So in general, no, they're not the oldest.
Joe Carrigan: There is something that she points to which I think is actually interesting. This article talks about the fact check. Social media platforms often rely on fact checks to show that this information's either - not correct, right?
Dave Bittner: Yeah.
Joe Carrigan: So you might see a label that says this information is false on it, and that label, ironically, increases older adults' belief in the claim later. And that actually stems from another study that was done by Ian Skurnik, Carolyn Yoon, Denise Park and Norbert Schwarz that says that telling people that a consumer claim is false can actually make them misremember it as true, and they conducted some experiments on this. So that might be one of the reasons - that when they see false on a statement, they're misremembering it as true.
Dave Bittner: Interesting. Just the highlighting of the statements at all, I guess, gets, perhaps, miscategorized.
Joe Carrigan: Yeah, yeah.
Dave Bittner: Interesting, interesting.
Joe Carrigan: I still think that social media is not a valid platform for political discussion.
Dave Bittner: (Laughter).
Joe Carrigan: I just don't think it's - I'm still going to say that. Even today, when there's a lot of stuff happening on social media, I just don't think that it is a - that anything constructive happens on there. I've actually uninstalled all my social media apps from my phone for the sake of my own mental health. I haven't yet closed my accounts. I've just stopped looking at them as much.
Dave Bittner: Yeah. There's an interesting thing they note in this article in the MIT Technology Review. They say that in addition to having less familiarity with social platforms than younger generations, older adults tend to have fewer people on the edges of their social spheres and tend to trust the people they do know more...
Joe Carrigan: That's right.
Dave Bittner: ...Which I suppose leads to being more in a bubble, more of an echo chamber.
Joe Carrigan: Yeah, absolutely. And that's actually my biggest problem with social media, is that you are in an echo chamber. And it's probably targeting the older people more. I'm going to have to read the paper that Dr. Brashier has written because - and I've printed it out. I got it right here, actually. About to go sit down and read it because this sounds interesting to me. I'm very interested in it. Dr. Brashier is actually a cognitive scientist, and I think we need more cognitive scientists and psychologists and maybe sociologists, even, in this field, in the cybersecurity field, doing research on this. I think that would provide valuable insight into the way people conduct themselves.
Dave Bittner: Yeah, no, it's an interesting article. It's from the MIT Technology Review, titled "Older Users Share More Misinformation. Your Guest Why Might Be Wrong." Joe Carrigan, as always, thanks for joining us.
Joe Carrigan: It's my pleasure, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.