Updates on the continuing hybrid war in Ukraine. Julian Assange will get another chance to avoid extradition. And Russian privateers find that they’re expendable.
Dave Bittner: Updates on the continuing hybrid war in Ukraine. The U.K. charges Russia with trying to install a puppet in Kyiv. Nominal hacktivists claim an attack against Belarussian railroads. Compromise of Greek parliamentary email accounts are reported. Netherlands authorities warn against relaxing your guard against Log4j exploitation. Julian Assange will get another chance to avoid extradition. Rick Howard's been pondering his reading list. Dinah Davis from Arctic Wolf on securing your smart speakers. And Russian privateers find they're expendable.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, January 24, 2022.
Dave Bittner: The British government on Saturday accused Moscow of attempting to form a pro-Russian government in Ukraine, Reuters reports. The British Foreign Office identified Yevhen Murayev, a foreign Ukrainian legislator, as the leader Russia was seeking to install in Kyiv and said that such machinations would not be tolerated by Her Majesty's government.
Dave Bittner: Russia's Foreign Ministry responded, quote, "we urge the Foreign Office to cease these provocative activities, stop spreading nonsense and finally concentrate its efforts on studying the history of the Mongol-Tatar yoke," end quote. That Mongol-Tatar yoke is indeed history and so deeply historical as to amount to historical inside baseball, were baseball actually played around Moscow.
Dave Bittner: The New York Times sees the announcement as of a piece with a more muscular assertion of British interests. Saturday's announcement followed last Thursday's U.S. sanctions against four Ukrainian nationals whom the U.S. Treasury Department identified as working on behalf of Russian intelligence services.
Dave Bittner: Ukrinform reports that Poland has joined Ukraine in assessing recent cyberattacks against Ukrainian targets as the work of Russian intelligence services. Ambassador Andrzej Sados, Poland's permanent representative to the European Union, was quoted as saying, "according to the information available to us, the cyberattack on Kyiv last week, January 14 through the 15, was carried out by a group of hackers affiliated with the Russian services. The same group of hackers is responsible for leaking and publishing government correspondence of Polish government officials. Last summer, the same group of hackers ran a cyberattack on the German Bundestag ahead of the September elections. It was this group that was involved in the recent attacks on Ukraine's government portals," end quote.
Dave Bittner: Russia has conducted extensive influence operations in connection with its ambitions in Ukraine. They have tended to represent Ukraine as a threat to Russia, not only in its policy but also in its growing alignment with NATO and internal ethnic fissures that, Russia argues, render the country dangerously unstable. The U.S. State Department offers a summary and assessment - a negative assessment, it need hardly be noted - of recent Russian influence operations.
Dave Bittner: MIT Technology Review describes how Russian cyberattacks against Ukraine could have effects that spread to other parts of the world. There is, of course, the likelihood that Russian retaliation against countries that have supported Ukraine in the present conflict would take the form of cyberattacks. But the experience of both NotPetya and WannaCry indicate that cyber effects are difficult to control. Whether the Russian services lost control of those attacks or were simply indifferent to the collateral damage they worked, in both cases, the effects spread well beyond the immediate Ukrainian targets. The NotPetya attack of 2017 affected shipping and logistics companies worldwide. The U.S. estimated the global costs inflicted by the pseudo-ransomware incident at more than $10 billion.
Dave Bittner: An online Russian-language publication, Reformation, reports that a group claiming to be a Belarussian hacktivist group has carried out a cyberattack designed to interfere with rail traffic in Belarus. The attack's nominal purpose is to interfere with any Russian troop movements in Belarus. The incident is said to have affected the national railroad's business systems by encrypting data and destroying backups.
Dave Bittner: The hackers say they'll provide a decryptor upon the release of 50 political prisoners and a halt to Russian troop deployment in Belarus. Claims of responsibility should be treated with caution. The incident may be a case of hacktivism, but action by criminals, national intelligence services or Russian provocation can't be ruled out.
Dave Bittner: NATO is increasing the readiness of forward-deployed forces along its eastern flank. The Guardian notes that a number of members of the alliance have deployed warships - to the Baltic, for the most part - aircraft and ground forces into the theater. The European Union has promised 1.2 billion euros in loans and grants to help Ukraine cope with the financial consequences of an invasion.
Dave Bittner: Sanctions are also under discussion. The U.S. is considering implementing a novel set of sanctions, as The Washington Post calls them, intended to cripple Russian strategic interests, including its technology sector. The Hill lists the sectors most likely to be affected - artificial intelligence, maritime, defense and civilian aviation sectors. The sanctions would include strict controls of exports of all microelectronics designed with U.S. software or technology or produced using U.S. equipment.
Dave Bittner: Last week Russia denied reports that it had begun evacuating its diplomatic personnel from Ukraine. But yesterday the U.S. State Department has directed the families of American diplomats to leave Ukraine and has given assigned diplomats permission to leave should they so desire. State is also warning U.S. citizens to avoid travel to Ukraine and Belarus.
Dave Bittner: The State Department explained its rationale for the action. Quote, "there are reports Russia is planning significant military action against Ukraine. The security conditions - particularly along Ukraine's borders in Russia-occupied Crimea and in Russia-controlled eastern Ukraine - are unpredictable and can deteriorate with little notice. Demonstrations which have turned violent at times regularly occur throughout Ukraine, including in Kiev," end quote.
Dave Bittner: The CyberWire's continuing coverage of the crisis in Ukraine can be found on our website.
Dave Bittner: Media reports say that some 60 email accounts belonging to Greece's parliament were discovered late last week to have been compromised. The accounts belong to members, staffers and journalists covering parliamentary affairs. As a precautionary measure, parliament's webmail has been suspended while investigation proceeds.
Dave Bittner: Pursuant to the U.S. Cybersecurity and Infrastructure Security Agency's Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, CISA last week added 17 listings to its Known Exploited Vulnerabilities Catalog. Federal agencies have until February 1 to address the most urgent issues.
Dave Bittner: Log4j vulnerabilities remain a matter of concern. BleepingComputer reports that the Dutch National Cybersecurity Centre has warned that organizations who may not have sustained particularly serious exploitation of those vulnerabilities shouldn't let themselves lapse into a false sense of security. Exploitation is ongoing and expected to continue for the foreseeable future.
Dave Bittner: The Washington Post says that a British High Court decision rendered today has given WikiLeaks impresario Julian Assange leave to appeal the decision to extradite him to the United States, where he's wanted on charges of violating the Espionage Act. Mr. Assange remains in Belmarsh prison while his case is being decided.
Dave Bittner: And finally, Russia continues to crack down on cybercriminal gangs. They've functioned as privateers, effectively harassing Russia's adversaries with at least the tacit consent - possibly the active encouragement - of the Kremlin. But privateers are as expendable as they are deniable, and the Russian cyber underground is feeling the effects of the crackdown.
Dave Bittner: Alleged members of REvil were arrested more than a week ago, and TASS reported on Saturday that the FSB arrested the founder and three members of the criminal Infraud Organization. The founder, Andrey Sergeevich Novak, TASS points out, is wanted in the U.S. His detention has just been announced. He's been in custody for two months.
Dave Bittner: Why the arrests? Russian authorities may be pointing out that they can render valuable cooperation to Western - especially American - law enforcement, and that assistance could be quickly withdrawn should the West continue to make noise about Ukraine. Or the arrests could be disinformation of the deep, positioning Russia as an international good citizen.
Dave Bittner: The arrests have shaken the Russophone underworld, which nonetheless seems a lot more fatalistic than American mobsters would be in similar circumstances. Digital Shadows has been keeping an eye on the chatter in the criminal fora, and they emailed us their sense that the mood has shifted. In 2020, the researchers say, one forum user wrote, "if you're working on the Russian Federation, then they'll hunt you down. But if you're working on the EU or the U.S., then nothing will happen. No one will care until you visit the EU or the U.S.," end quote. So stay away from Russian businesses, feed on the Americans and Europeans, and everything will be A-OK.
Dave Bittner: But that's changed. One hood in a position to know recently shared, quote, "if you still continue to firmly believe that if you are in the Russian Federation, then nothing will happen to you no matter what you do, this faith will destroy you," end quote. So this raises some practical questions as criminals consider their plans. There's no consensus as to whether it's better to go to a Russian or an American prison. On the one hand, life in an American prison might be easier, but the sentences tend to be longer. It's best, of course, to stay out of the slammer altogether, but, well, if you've got to go, you've got to go.
Dave Bittner: And it is my pleasure to welcome back to the show Rick Howard. He is the CyberWire's chief security officer, our chief analyst and chief fellow as well. Rick, great to have you back.
Rick Howard: Hey, Dave.
Dave Bittner: So here we are. It is 2022, and I have to say, I don't know about you, but I cannot believe that we are almost through the first month of 2022.
Rick Howard: How is that possible? I said, I'm going to get so much done over the break and here we are, it's the middle of January.
Dave Bittner: Yeah.
Rick Howard: Where did the time go?
Dave Bittner: It doesn't - I don't know. But the good news is that your podcast, "CSO Perspectives," is kicking off Season 8. So what do you have in store for us?
Rick Howard: Yeah, well over the holiday break, I had this epiphany that all of us are students of the cybersecurity game, and that includes me and you, Dave. We are students of this game, right? And one thing that makes the game challenging is that it changes all the time. There is always something new happening somewhere - some new attack vector, like the Log4j vulnerability that we were all dealing with over the holiday break...
Dave Bittner: Right.
Rick Howard: ...Or some new policy, like President Biden's most recent signing of the National Security Memorandum No. 8 happened this week; or the latest attack sequence for some cybercrime adversary group like FIN8. And it's an enormous effort for any one person to keep up with it all. And we all have our own methods to try to stay up to date, like, you know, listening to podcasts, reading books and technical papers, following smart people on Twitter and, you know, watching YouTube videos.
Dave Bittner: Yeah, yeah. I mean, do you have a preferred medium? Do you find yourself drawn to one over the others?
Rick Howard: I do, but I realize that the way everybody consumes information is deeply personal and tailored to how they like to receive information. So my way may not be your way, but for me, my two preferred methods are podcasts and books. Podcasts and audiobooks, by the way, because they are so convenient. If I'm walking the dogs or doing the laundry or washing the dishes, I'm catching up on podcasts or listening to a book.
Dave Bittner: Now, you know, you and I have known each other for a while now, and I remember some of our first conversations were about the books that you were reading. And you've always been a real big advocate of reading books and especially books about cybersecurity. Your work on the Cybersecurity Canon Project, of course, is noteworthy. I'm wondering if you've noticed a decline in people talking about taking the time to read actual books. It seems to me like with everyone being so busy and so many demands on everyone's time, people aren't sitting down with a good book the way they used to.
Rick Howard: You know, I think that's true for a lot of people, but let me try to make the case that you should prioritize taking the time to read or listen to a book, all right? So here it is. It makes your world a bigger, richer environment, all right? In other words, it gets you out of your own bubble. And so let me lay a Confucius quote on you if you'll indulge me just a bit, all right? Here's what he said.
Dave Bittner: OK.
Rick Howard: "No matter how busy you may think you are, you must find time for reading or surrender yourself to self-chosen ignorance," end quote. Now that's a subtle dig from 500 years B.C., all right? So take that.
Dave Bittner: Wow.
Rick Howard: But, you know, more recently, Mark Twain was a bit more blunt. He said this - if you don't read, you're not any better than people who can't read. Ouch. That hurts a little bit.
(LAUGHTER)
Dave Bittner: OK, fair enough. Fair enough. All right. Well, so what are - what's taking up your time? What books and podcasts are you recommending that everybody should be reading and listening to?
Rick Howard: Well that, my friend, in the podcast biz is one of our famous teasers. You're going to have to listen to the first season of - that starts this week on "CSO Perspectives." So everybody check it out.
Dave Bittner: I can't believe I walked right into that.
(LAUGHTER)
Dave Bittner: All right. Rick Howard, thank you so much for joining us.
Dave Bittner: And I'm pleased to be joined once again by Dinah Davis. She is the VP of R&D and Operations at Arctic Wolf and also the founder of Code Like a Girl. Dinah, great to have you back.
Dinah Davis: Thank you, very exciting - 2022.
Dave Bittner: 2022 here we come, whether we want it or not, right?
Dinah Davis: That's right.
(LAUGHTER)
Dave Bittner: So having just come through the holiday season as we did, I think a lot of folks under their Christmas trees or their Hanukkah bushes or however they get gifts distributed to them by their loved ones have found themselves with new smart speakers. And with that comes some security issues as well. Bring us up to date here, Dinah. What sort of stuff has you concerned from a security point of view?
Dinah Davis: Yeah. Well, did you know at least 35% of American households have smart speakers?
Dave Bittner: Wow.
Dinah Davis: That was in 2019, so I suspect that number is higher. So if you have one, then the things that you want to do are make sure you have the voice recordings deleted often. So I know with both Amazon and Google, you can go in and review your voice recording history and delete it. And in fact, I went and double-checked mine while I was preparing for this just to see what I had set, and I was glad that previous me was smart. And there - my voice recordings are deleted immediately - immediately.
Dave Bittner: Oh, I see.
Dinah Davis: They are not kept for any length of time at all. And that just helps. Like, you don't need them having all those voice recordings of you in their systems for that long.
Dave Bittner: Yeah.
Dinah Davis: Don't link your calendar or your address book to your smart speaker. And I feel like that's something people would really want to do from a usability perspective, right?
Dave Bittner: Right. Hey, what do I have - what's on my schedule today? And it can tell you that.
Dinah Davis: Right? But if you do that, it's very easy for hacks to come in, especially the address book, and then start sending stuff to your contacts - right? - phishing emails or other things like that, right?
Dinah Davis: It may ask you for things like passwords to different things, credit cards when you're shopping, Social Security numbers. Don't ever tell them into your smart speaker. You don't - you can't be sure that it's only going to be used for the purpose you think it is, right? And, you know, if you tell your smart speaker, anyone could possibly get that information just by asking it.
Dinah Davis: So you can also turn off the microphone when you aren't using it. I feel like this is one of those security recommendations that's, like, well-intended but, like, less useful.
Dave Bittner: Yeah.
Dinah Davis: So, like, the whole idea with the smart speaker is it's just there. You want to yell at it, and it does stuff, right?
Dave Bittner: Right. You want it to be the computer from "Star Trek," right?
Dinah Davis: Yeah. Yeah.
Dave Bittner: Yeah (laughter).
Dinah Davis: You don't want to have to go turn on the microphone, then yell at it...
Dave Bittner: Right.
Dinah Davis: ...And then turn the microphone off. But...
Dave Bittner: Right.
Dinah Davis: ...You could consider times when you may want to turn the microphone off, right? Maybe you want to turn it off during family dinner so it's not, like, that whole time is being listened to or something like that, right?
Dave Bittner: Yeah. I could imagine also, like, just hours of the day. If you know you're sleeping from certain times of the night...
Dinah Davis: Yeah.
Dave Bittner: ...Turn it off.
Dinah Davis: Yeah, exactly. Exactly. And possibly, you might even be able to schedule that. I don't know. I haven't looked into it. But, you know, Google or Amazon, that would be a great feature - right? - if you don't have it...
Dave Bittner: Yeah.
Dinah Davis: ...already.
Dinah Davis: Turn off purchasing - so I didn't really realize people did this, but people, like, add stuff to their Amazon carts and then say, buy, and then it ships it right to their door, like, all through the smart speaker. I found this out because I was watching "Borat."
Dave Bittner: (Laughter) OK.
Dinah Davis: I was watching the "Borat" after show on Amazon, where they, like, had him in the house with those two guys, and those two guys...
Dave Bittner: OK.
Dinah Davis: ...Were showing him how to use the Alexa.
Dave Bittner: (Laughter).
Dinah Davis: But I was like, oh, really? Wow. Yeah, that makes sense, right? So, you know, maybe don't have it connected to your Amazon account that way because anybody can just start saying what they want, especially if you have little kids who accidentally...
Dave Bittner: Right.
Dinah Davis: ...Have it - not maliciously by your kids. But even the other day, I had a friend say, my daughter got my - my 3-year-old daughter got my Kindle, and now I have, like, five books that I'm going to read that I didn't want.
(LAUGHTER)
Dave Bittner: Right.
Dinah Davis: But I guess it's what I'm reading now.
Dinah Davis: And then one great one is, if you're going to leave some of that stuff on, like purchasing, you know, because you really want it - and that's OK, that's your choice, right? - stay on top of your notification emails. So, you know, every time you buy something on Amazon, you get a message, right? So check those.
Dave Bittner: Right.
Dinah Davis: You know, check those regularly. Make sure you look at that kind of stuff.
Dinah Davis: And then make sure you're using good Wi-Fi; so, like, WPA2. And one big recommendation I have is to use guest Wi-Fi for all your guests, but also any of your insecure or unsecured IoT devices. Don't have IoT devices on your network that are not secured in your family's network so that if something ever happened to compromise them, they're stuck in the guest Wi-Fi and not connected to your stuff.
Dinah Davis: Enabling voice recognition can be a really good idea, and then making it only - setting it so it only responds to the voices it recognizes. That will help you with the yelling into the window - open the doors.
Dave Bittner: (Laughter) Right, right, right, so it only responds to known voices.
Dinah Davis: Yeah, exactly, exactly.
Dave Bittner: Yeah, yeah.
Dinah Davis: Yeah. And then, of course, finally - strong passwords, people - strong passwords.
Dave Bittner: All right. Well, good advice for sure. Lock down those smart speakers, people. Dinah Davis, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com.
Dave Bittner: Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.