The CyberWire Daily Podcast 7.17.20
Ep 1132 | 7.17.20
High-grade grifter. Twitter’s disinformation potential. Hacking vaccine research and doxing trade talks. What Iran’s hackers are up to. And CISA says, for heaven’s sake, patch already.
Transcript

Dave Bittner: Are you a follower of The CyberWire on LinkedIn? If not, you might just want to do that. Why, you ask? Well, we do a weekly discount code drop for CyberWire Pro. Each week, we will be dropping one discount code on LinkedIn with significant discounts for CyberWire Pro. That discount code can only be used five times, so follow @thecyberwire on LinkedIn. Keep your eyes peeled. The code could drop any day of the week, and it's first come, first serve.

Dave Bittner: The Twitter hack is looking more like high-grade, low-end crime. It also worries people over the disinformation potential it suggests. People care, they really do, that someone hacked COVID-19 biomedical research Australia joins the U.K., Canada and the U.S. in blaming Russia for Cozy Bear's capers. Russia says it didn't do nothing. IBM gained some insight into Tehran's cyber operators. Rob Lee from Dragos with thoughts on the Ripple 20 vulnerabilities on industrial control systems. Our guest is Sal Aurigemma from University of Tulsa on fake antifa Twitter accounts. And CISA's serious about getting the feds to apply Tuesday's Windows patch. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, July 17, 2020. 

Dave Bittner: Twitter's investigation of its Wednesday afternoon hack continues amid much expert worry about how the ill-intentioned could use a hack like this one to disrupt political campaigns and the organization of polling. But it now seems probable, if surprising, that Wednesday's hack was criminal and not directly state-organized. 

Dave Bittner: Reuters reports pre-hack chatter on a gray market forum that's frequented by gamers, swappers and skids. And this particular chatter offered to sell Twitter accounts. That suggests low-level criminal activity as opposed to state-directed espionage. It's not just that offers to sell some stolen commodity appeared. State-run operators do that too, often when they wish to be mistaken for simple criminals - consider NotPetya as one example - sometimes when they're letting criminals whose services they've suborned profit from their hacking and occasionally when they themselves wish to profit directly. 

Dave Bittner: But in this case, the outcome seemed messy and disproportionate to the relative smoothness and ambition of the attack. That looks like crime. Reuters quoted Allison Nixon, chief research officer at security consultancy Unit 221B, who said, quote, "when you have these less professional criminal groups, you see chaotic outcomes. One member might stumble across a powerful hack, and it spirals out of control. That's probably what happened here," end quote. So good hack, bro. Now, what are you going to do with it? I know. Let's do a Bitcoin scam like the Nigerian prince's widow. Whatever. Yeah, totes. 

Dave Bittner: It's happened before. When the Mirai botnet first appeared, it took down internet service across a large section of the U.S. Atlantic seaboard, wasn't, as widely believed at the time, a Russian shot across Western bows, but rather the work of a student at Rutgers who was pursuing some vaguely conceived grifting like getting a competitive advantage in selling Minecraft commodities. 

Dave Bittner: KrebsOnSecurity has published some suggestive, albeit preliminary and inconclusive, evidence that it was indeed a well-executed but not fully thought through criminal scam executed by a SIM-swapper connected with the ChucklingSquad gang. Perhaps by a gentleman who uses the hacker name PlugWalkJoe. He's believed to be an early 20-something British student somewhere in Spain. In any case, investigation continues. And the FBI has taken up the case. 

Dave Bittner: A great deal of concern has been expressed about the potential of such Twitter hijacking to serve the purposes of disinformation and influence operations. It didn't in this case, but given the extent to which, alas, people get a lot of their news in the form of tweets, the prospects are sobering. They are even more sobering when one considers how Twitter has come to be used for emergency notification. Twitter's own security certainly took a black eye. Perhaps the incident will serve as a learning experience for social media generally. 

Dave Bittner: So Cozy Bear lapped up some COVID-19 research honey. So what, you might ask? So the Russians get a vaccine, too. Big deal, right? Well, putting aside the issue that it seems only reasonable that even biomedical researchers shouldn't have their honestly earned bread stolen from their children's mouths, there are also issues of free-riding on research costs. And then there are also considerations of privacy. 

Dave Bittner: Bloomberg interviewed a Darktrace co-founder who says that Cozy Bear's hack of COVID-19 biomedical research put patient data as well as intellectual property at risk. The research inevitably involves underlying patient data. Darktrace thinks that collecting such data can drive AI modeling that would accelerate vaccine development. A problem they see is the rise of patients losing confidence that their health data would be protected, that this might even discourage people from, for example, going to get tested. Bloomberg doesn't go into this, but unauthorized access also always raises concerns about data corruption, whether deliberate or inadvertent. So the incident is worth taking seriously on a number of levels. 

Dave Bittner: Australian intelligence services have joined their Five Eyes sisters in the U.K., Canada and the U.S. in pointing to Russia's Cozy Bear as the actor behind cyberespionage directed against such research, the Sydney Morning Herald reports. The Herald also has an explanation of how the stolen trade documents British Foreign Secretary Raab mentioned were used in last year's British general election. They serve to drive the Labour Party's retrospectively absurd contention that the Tories intended effectively to privatize the National Health Service and sell it to the Americans. 

Dave Bittner: Russia's embassy in London, responding to unfriendly statements by Foreign Secretary Dominic Raab, said that Russia didn't hack any biomedical research, didn't attempt to influence any democratic elections, and that it reiterated its offer to jointly investigate and adjudicate cyber issues. The statement closed with this, quote, "we have also taken note of the foreign secretary's suggestion that the U.K. government reserves the right to respond with appropriate measures in the future. In this regard, we would like to state once again that any unfriendly actions against Russia will not be left without a proper and adequate response," unquote. 

Dave Bittner: These are familiar tropes in Russian cyber diplomacy. We trust the word processors in Kensington Palace Gardens, Wisconsin Avenue, Charlotte Street, Canberra Avenue, and for that matter, Messines Road have them loaded and shortcuts. That saves a lot of time and typing. We're particularly struck by the routine Russian expression of interest in seeing the evidence and coming to a mutual understanding. We're sure we'll hear it again. 

Dave Bittner: Finally, CISA is serious about the Windows DNS Server vulnerability mitigated this week. Emergency Directive 20-03 tells U.S. Federal agencies to apply the patch by 2:00 p.m. Eastern Time today. And, hey, that deadline is now in the rearview mirror. We hope you all got it done. And, we might add, what's sauce for the Feds is sauce for the geese and gander on Main Street, too. Please patch. 

Dave Bittner: The problem of inauthenticity online, especially on social media, is a complex issue for social media providers to tackle. They can run the gamut, from celebrity impersonators to sophisticated state influence campaigns. Sal Aurigemma is associate professor of computer information systems at University of Tulsa, and he and his colleagues have been researching inauthenticity online, including fake and antifa Twitter accounts. 

Sal Aurigemma: The core issues around this topic in general, but definitely specifically for the fake antifa U.S. account, kind of comes down to that, you know, a fake account was used to spread disinformation on Twitter, and while Twitter and other social network platforms have gotten better at automated and manual fake account detection, and they're really good at detecting bots now, it's still kind of a game of whack-a-mole. And the key issue of identifying disinformation and stopping it being spread on and between social networks today - it's an important task, but it's pretty much almost impossible to completely stop in a timely manner given how we are operating on social media today. 

Dave Bittner: Do you think that blocking inauthentic accounts is effective? 

Sal Aurigemma: It definitely does a job in terms of preventing inauthentic accounts from continuing to spread disinformation and manipulating. The problem is is that the rapidity of whether it's automated or even individuals setting up fake accounts makes it so difficult to - once you stop a bad actor from spreading information, the SOP now is basically, well, I've either already got another account set up, or I can quickly and easily set up other accounts to continue my path. And, you know, the echo chamber of the type of people that listen to these messages, whatever the content is. You know, it's easy enough to get back into those groups, even if a fake account or a disinformation campaign is stopped. It's easy enough to get back into the flow of information because those communities and groups and the type of message you're looking for, the confirmation bias that goes with the things that they're looking to read about and spread, that doesn't change just because you get rid of a fake account. 

Sal Aurigemma: Social media platforms have definitely gotten better at doing this, you know, especially since the 2016 election interference by Russia, and added in human review to help with that. So they'll use these automated techniques to help elevate potential platform abuse and misuse accounts so that humans can get more involved. But that's a timely process. So even in the case of the fake ANTIFA U.S. account, that account was reported. We don't have the exact details of how it came to Twitter's attention, but that account was suspended within 24 hours of that tweet, that famous tweet that went out. But it took over 24 hours for Twitter to identify - well, it is a known, you know, racist organization that manually set up this account. 

Sal Aurigemma: And that challenge of attribution in social media is the same problem we have with attribution throughout cybersecurity. You know, we - if we jump to conclusions on who is doing certain types of activity on social media, we run the chance of being wrong, just like you've heard about - the many reports in the past of blaming an actor for, you know, inciting some information leak or an attack on an organization. So do I believe that the social networks are working hard? Absolutely. The challenge we really have is a fundamental issue with social media. 

Dave Bittner: Do the platforms themselves suffer from a bit of - I don't know - I suppose a perverse incentive of - if they're all about engagement and people who are upset tend to be engaged, people who are agitated tend to be engaged, is it best for their own interests to stir the pot a little bit or to allow the pot to be stirred? 

Sal Aurigemma: Well, yeah, you definitely hit the nail on the head there. Engagement, keeping people on the platform is what keeps these platforms in business so that they can advertise and sell product and other services. So they are definitely at odds with the problem. So there needs to be - for the social media perspective is they need a clear understanding of what is allowable and what isn't. The problem is that changes, that bar keeps changing, depending on what's happening. 

Sal Aurigemma: Now, you would think that certain things are pretty clear, like, you know, child sexual exploitation. That one is clear, easily defined, and the social media platforms are very quick on that, and there is no, you know, debate on whether they are for or against that. But then, when you get into the political realm in particular, and definitely for more divisive issues, whether it's, you know, whether it's race issues in this country, or whether it is pro-life movements and things like that, you don't have the same, straight, cross the line and I can make a decision on this. It becomes much more subjective, and that subjectivity is really the challenge for social media. And, like, how do they keep people there talking about these topics, yet when it goes over the line of decency, how do they stop it? And, definitely, the misinformation part, that's - the disinformation and misinformation spread is the biggest challenge for social media in this context. Fake accounts are bad, yes. Well, what is the real bad part of fake accounts? It's more the unimpeded spread of disinformation and misinformation that really has the societal impact. 

Dave Bittner: That's Sal Aurigemma from University of Tulsa. If you want to hear an extended version of this interview, head on over to thecyberwire.com. You can find it there in the CyberWire Pro section. 

Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, we recently had this story come by about this series of vulnerabilities. They're collectively being called Ripple20. This has some deep implications and affects a lot of things. What's your take on this? 

Robert M. Lee: Yeah, absolutely. So there was research put out by JSOF research lab, and they published it, basically saying, here's these vulnerabilities as they relate to the TCP/IP software library. So it's a library developed by Treck, Inc. It's used all over the place. There's a big focus on IoT here, but it's actually a little bit further reaching than that. It's actually quite a bit popular in ICS, or industrial control system world as well. So in backing everybody from Schneider Electric to Rockwell to, you know, different industrial automation vendors, you're going to find this impacts basically embedded devices all over pretty much every industry, but very heavily electric, and oil and gas, transportation, that kind of world. So everyone should take a look at it, but especially the ICS security community is going to need to be on top of this one. Any time that you find vulnerabilities that are of any sort of criticality, that touch on underlying software stacks, especially things like TCP/IP stacks, those are ripe targets for adversaries to take advantage of, and they allow a lot of network-capable impacts. 

Robert M. Lee: And when we think about IoT, but also the IIoT, or the industrial IoT, and you start talking about industrial control systems, network access is the game. We don't think about system-level security as much, like enterprise, where it's like, hey, let's protect this system. It's more systems of systems security. And so network access, network control - that's something adversaries definitely going to take advantage of. So I think these are pretty impactful. My analysis, and our analysis over at Dragos to our customers, has been that this is just a further acceleration of your plans around doing network monitoring and segmentation. I think segmentation is a good strategy, but it's one that, no matter how much you do, it's kind of not what you think it is, especially with kind of the digital transformation that companies are going through and hyperconnectivity. But the importance of monitoring in those networks - think, like, network security monitoring, and, in this case, like ICS asks identification and monitoring - that just became even more critical. 

Robert M. Lee: And, if I can kind of be the what's coming in the future kind of note, is this doesn't surprise anybody in this community. A lot of these software stacks, a lot of these OEM components, are all over the community. It's not well-documented of what vendor has what thing. And when these devices get deployed for 15 or 20 years, the research community, as they start poking, are going to find way more things, and the necessity to monitor in those environments to be able to identify exploitation - forget the patching piece. That's not the issue here. But it's, can you identify adversaries taking advantage of these classes of attacks, these classes of vulnerabilities? That's where we're pushing people because it's going to be more common, not less common. 

Dave Bittner: Yeah. I mean, the reporting is saying that these libraries have been out since the late '90s, and so, I mean, is it right to assume that that means that, you know, for many of these things we're not going to be seeing bug fixes? 

Robert M. Lee: Yeah, we won't. The big problem - and this goes to actually some of the things that, like, the I Am The Cavalry people have been advocating over the years, where they're saying, look, there's not a good software bill of materials for a lot of these companies. You know, when you go and talk to the Schneider Electrics and the Rockwells and the Siemens of the world today, they're putting a lot more focus on tracking their inventory and understanding what's there. They're being pretty proactive actually. But that's for 10 years from now. The state of the union for the next 10 years is all of this equipment that you bought and purchased from yesterday on back 20 years ago, and there's what we would call brownfield. And you're not making significant dents in the brownfield, and you're definitely not doing it through patching. Some patches are critical. I'm not saying don't patch. 

Robert M. Lee: But patching as a strategy for a ton of equipment in the environments that we don't even necessarily know what all is on that equipment is not the leading strategy here. And for some of those vendors, they don't know they have that software, so they won't ever issue a patch. And for some of the vendors, they may even be out of business in comparison when you bought it. So patching isn't going to be as effective of a strategy against these types of vulnerabilities in these environments as it would be in Enterprise. Again, not saying don't patch, but it's not as effective a strategy, and it has a lot of complications to it anyways, which is why we always push for, hey, at least be able to monitor. You know you've got vulnerable equipment, or you don't even know if that equipment has that software stack, that's fine. But you should be able to detect when somebody is trying to access it or exploit it. That's the leading strategy. Then you build in your protection and response strategies around that. 

Dave Bittner: All right. Well, Robert M. Lee, thanks for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: Don't forget to check out this weekend's Research Saturday, and my conversation with Jon DiMaggio from Symantec. We'll be discussing ransomware attackers who've been scanning for point-of-sale software, leveraging Cobalt Strike. That's Research Saturday. Check it out. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.