Presidential authorization for US Cyber Command action. DPRK hacking and internal regime dynamics. TrickBot’s developers. Cybercriminals in the dock.
Dave Bittner: Hey, everybody - Dave here. Are you a follower of the CyberWire on LinkedIn? Well, if not, you might just want to do that. Why, you ask. Well, we do a weekly discount code drop for CyberWire Pro. Each week, we drop one discount code on LinkedIn with significant discounts for CyberWire Pro. That code can only be used five times, so just follow @TheCyberWire on LinkedIn. Keep your eyes peeled. The code could drop any day of the week. And it's first come, first served.
Dave Bittner: President Trump says he authorized U.S. Cyber Command's retaliation against Russia's Internet Research Agency for midterm election meddling. North Korean financially motivated hacking is a sign of internal power dynamics. TrickBot accidentally deploys a new module; TikTok privacy and security. Tax fraud increases as Wednesday's U.S. filing deadline approaches. A LinkedIn hacker has been convicted; Justin Harvey from Accenture on what should and shouldn't go in emails. Our guest is Matt Davey from 1Password on the undercelebrated role of IT in the work-from-home transition and advice to alleged criminals on the lam - give them a low silhouette.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, July 13, 2020. U.S. President Trump said in an interview with The Washington Post published late Friday that he had authorized a U.S. Cyber Command response to Russian interference in the 2018 midterm elections. The Post had reported on the cyberoperation in February 2019, sourcing the story to unnamed U.S. officials. But this is the first time the president has claimed direct involvement. The attack knocked the Internet Research Agency offline in a demonstration intended, it was said at the time, to show the Russian government that cyberoperations, particularly influence operations, would not be cost-free. The New York Times says the 2018 operation was intended as both a deterrent and a realistic test of U.S. capabilities against an actual adversary.
Dave Bittner: The Telegraph reviews North Korean financially motivated hacking, including LinkedIn phishing and cryptocurrency fraud, and notes its opportunistic and indiscriminate character. The Washington Times says the increase in Pyongyang's cyber-op tempo coincides with the rising influence of Kim Yo Jong, sister of DPRK leader Kim Jong Un.
Dave Bittner: Researchers at Advanced Intelligence describe some curious TrickBot behavior. A test version of a password-stealing module appears to have been mistakenly deployed. The malware was up and prematurely warning people that they'd been infected. The researchers think the gaffe is a sign that TrickBot's masters are outsourcing at least some of their development.
Dave Bittner: Amazon told its employees to delete TikTok Friday morning but then withdrew the order as an error, The Wall Street Journal reports. The first email that went out said, due to security risks, The TikTok app is no longer permitted on mobile devices that access Amazon email. If you have TikTok on your device, you must remove it by 10 July to retain mobile access to Amazon email. At this time, using TikTok from your Amazon laptop browser is allowed. In what appeared to be a striking corporate about-face, the company later that day said it was in fact just a simple mistake. Quote, "This morning's email to some of our employees was sent in error. There is no change to our policies right now with regard to TikTok," an Amazon representative said later Friday. There was no further comment.
Dave Bittner: Whatever was going on over at Amazon, TikTok has come in for criticism for its security and privacy - some well-founded, some spurious, and others a simple consequence of the company's Chinese ownership and what that entails for its relationship with the Chinese government. The U.S. Department of Defense has told service members to avoid using the app, but Amazon's apparent ban was apparently just a mistake.
Dave Bittner: The Telegraph has a long and interesting exclusive on TikTok's sister company Douyin, which operates within China. Douyin has apparently been using facial recognition software to monitor users' apparent ages, perhaps to identify foreigners using the platform and assigning safety ratings that score users for upholding public order and good customs. These practices service from the corporate parent both Douyin and TikTok share, ByteDance.
Dave Bittner: TikTok has already been banned in India and is facing close scrutiny of its implications for privacy and security in both the U.K. and the U.S. The company gave what the Telegraph characterized as evasive answers to questions about whether it followed the same policies as Douyin. For example, TikTok takes the safety of our younger users seriously, and so on. But TikTok did say, quote, "TikTok has never provided user data to the Chinese government, nor would we if asked to do so," end quote.
Dave Bittner: Matt Davey is Chief Operations Optimist at password manager firm 1Password. He maintains that the role of IT in the COVID-19 work from home transition is undercelebrated and deserves a bit more spotlight.
Matt Davey: You know, we've been remote for a long time - 15 years now. And so what we really wanted to learn was kind of the other side of this and the transformation that both the IT team and kind of the rest of the company have to do when they move to remote. So it was really kind of for our own understanding as well as, you know, interest in this kind of topic and helping others understand it.
Dave Bittner: And what sort of things did you discover here?
Matt Davey: Yeah, all kinds of things. First of all, just 1% were actually primarily remote workers before COVID-19, but now 59% are actually favorable towards, you know, kind of working from home. So that was interesting by itself - that we're kind of more in this small percentage than we thought we were. And then the other one, which is the real kind of finding in the title of our blog post, is that the IT teams involved have kind of, you know, absolutely done a wonderful job of kind of scaling this upheaval. And 89% of people that answered this had zero criticism of their company's IT team, which I think is amazing.
Dave Bittner: That's interesting - any insights on what I would probably think is a surprising number to come back to you?
Matt Davey: Yeah. I mean, you know, I think it does well because I think a lot of companies are relaxing their rules slightly. Forty-six percent of SMBs report relaxing some security protocols and requirements, and, you know, 19% of the large firms are reporting that as well. So I think that goes to help it. Also, it shows that, you know, the real core security rules that you have might be different from the kind of day-to-day ones, and picking and choosing and kind of making sure that someone follows the core rules might actually help when moving to remote.
Dave Bittner: Do you have any thoughts on what we could see - I'm thinking, you know, that many organizations have, as you've mentioned, relaxed rules during this pandemic. I wonder what the melding of those two things are going to be as we - perhaps people continue to work from home. Will the organizations say, OK, we're going to have to dial in more of these rules again and adjust to this new reality?
Matt Davey: Absolutely. I think there'll be a lot of adjusting. I think some of the tools that, you know, are core to our organization are going to change. You know, the more tools that you kind of bring about that engender remote working, I think, are going to be huge. And passing all those throughout your organization are going to take time - time that we just haven't had at the moment. It just seems to be one thing after the other that the companies have to deal with at the moment.
Dave Bittner: That's Matt Davey from 1Password.
Dave Bittner: Yevgeniy Nikulin was convicted Friday of breaching internal networks at LinkedIn, Dropbox and Formspring in 2012 and of then selling the services' user databases on the black market. ZDnet reports that he took a total of 117 million user records from LinkedIn, information on 68 million Dropbox users and 30 million details on Formspring users. He was arrested in October 2016 while vacationing in Prague and was held in response to U.S.-issued Interpol Red Notice prompted by criminal complaints the three companies had filed in 2015. In the summer of 2017, Czech authorities extradited Mr. Nikulin to the U.S.
Dave Bittner: Mr. Nikulin's time in custody was marked by a fractious refusal to cooperate not only with the government, but with his own defense counsel. He did meet with Russian consular officers - again, without his defense counsel being present - but what they discussed is unknown. He was also in trouble while being held in jail for sometimes violent and disruptive behavior. It took the jury slightly less than six hours Friday to reach a unanimous guilty verdict, CyberScoop reports. That conviction came as something of a surprise given the strong criticisms the presiding U.S. federal judge made of the prosecution's case last week, deriding it as not only boring but also frequently irrelevant. Mumbo jumbo and a dry hole were among the warmer expressions the judge used, according to Law360. The jurors apparently found it neither. Mr. Nikulin is expected to be sentenced on September 22.
Dave Bittner: And finally, what did Ray Hushpuppi do to draw the attention of law enforcement agencies in the U.S. and the United Arab Emirates? Mr. Hushpuppi says he's a real estate magnate and that dealing in property is the source of his apparently considerable wealth. The U.S. Justice Department, which now has him in custody after extradition from the UAE, says he made his fortune in business email compromise. The source of Mr. Hushpuppi's income will receive plenty of consideration at his eventual trial, as Australia's 9News reports. But Mr. Hushpuppi was not just a quiet alleged crook. He was an influencer with lots of social media and email accounts and a digital exhaust that, were it made visible, would look something like what you'd see from a very badly maintained diesel. Go look up coal rollers. Advice to malefactors - and remember, Mr. Hushpuppi is still just an alleged malefactor and entitled to the presumption of innocence - if you want to stay out of the slammer, stay inconspicuous. It's hard, we know - you want to wave the shopping bags around, or, to take an earlier alleged Russian gangster's example, pose in your tracksuit with your exotic pet ocelot. Come on. A little modesty is just good policy.
Dave Bittner: And joining me once again is Justin Harvey. He is the global incident response leader at Accenture. Justin, it is always great to have you back. I wanted to do a little check-in with you today about best practices when it comes to emails and the types of things that we should be putting in and things we should be leaving out. What can you share with us?
Justin Harvey: Well, what I can share with you is it's different from every organization. It's also different for the intended recipient for the communication of secure information. Inside of your enterprise, it's generally considered, within your company, within your email system, that it's OK to email sensitive information like a social security number or a bank routing information number or a government ID number, let's say. And for the most part, I think the communication of a couple pieces of information back and forth in, let's say, a Microsoft Exchange System is relatively secure. Yes, administrators can probably open up your email and see that, but you trust your email administrators not to do things like that.
Justin Harvey: The game changes, though, when you are emailing information across the Internet. And there are various standards and practices to securely transmit email. But the fact of the matter is your email might be able to be intercepted at some point between step A, which is you sending the email, and step zed, for instance, when the company - your recipient gets it because it's got to be routed through a lot of places, and it goes over the network. And when you are communicating via SMTP, simple mail transport protocol, there could be hop sites that don't encrypt end to end. We're getting better as a community, but there's no guarantee that your information is going to get there in a secure manner.
Justin Harvey: There's also another thing to think about when you are sending this information to a third party about how you're going to package this up. And really, to get around being intercepted between point A and point zed, a great way to do that is to create a document - either a spreadsheet or a Word document or even a text file - that has the sensitive information, then zip it. So you're already getting compression on top of that. So if you have a big spreadsheet - 10 meg spreadsheet - maybe it goes down to 1 meg. And then also, encrypt and put a password on that ZIP file. And that's going to do a couple of things. And, of course, we - of course, I recommend picking a great password, a long password, on there...
Dave Bittner: (Laughter).
Justin Harvey: ...That you're going to deliver out of band to the recipient. Don't send an encrypted zip to someone and then the following email say, this is the password for that.
Dave Bittner: Right, right.
Justin Harvey: We see that...
Dave Bittner: It's like leaving a sign on your front door that says, key under mat.
Justin Harvey: Exactly.
Dave Bittner: Yeah (laughter).
Justin Harvey: So what you want to do is you want to zip it up. You want to pick a great password, and then you want to - you also probably want to rename the .zip to dot something else, like .TXT or .XXX, whatever you want to do. The reason for that is if you were to email that zip file, it might cause problems because advanced threat protection email systems will actually try to open up that ZIP and will see that it's a ZIP and will start to try to operate on it. So if you can just rename that extension, that'll help it get to its intended recipient.
Justin Harvey: When you're dealing internally, though, if you need to send some information - some sensitive information to someone across the company, then the best course of action is probably use the system built in to do encryption and signing and maybe even mark things as do not forward. If you don't do that, if you just send stuff - you know, you're pasting in sensitive information and sending it off to someone - the first thing is that if you don't mark it as secure or mark it as private or mark it as confidential, then it makes it a lot easier later on, either next week or next year or in a decade. If that email has been saved off, it can then be subject to e-discovery and to a lot of different type of legal recourses if it does come out. But if you did mark it as do not forward, did mark it as encryption and signed and confidential, it might have a better shot at being more secure over time.
Dave Bittner: You know, I remember decades ago hearing the advice that basically said don't put anything in an email that you wouldn't put on a postcard. Is - does that advice still hold?
Justin Harvey: Well, I would say yes and no. I think it is a great axiom to focus on. But a lot of times, when you're dealing in - like in this pandemic, we have to send a lot of stuff via email that we normally wouldn't. Clearly, if it's inappropriate, if you're doing something off-color or something that would violate HR, clearly don't do that. But if it gets really down to...
(LAUGHTER)
Justin Harvey: If it gets down to something that could be potentially legally sensitive, that should be your warning to be like, OK, maybe we should involve our general counsel, add them to the cc line. And that way, you can use - put at the top of your email, privileged and confidential, client-attorney privilege.
Dave Bittner: I see, yeah. Interesting. All right. Well, good advice. Justin Harvey, thanks for joining us.
Justin Harvey: Thank you.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, Proofpoint's ObserveIT, the leading people-centric insider threat management solution. Learn more at observeit.com.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.