The CyberWire Daily Podcast 2.9.22
Ep 1512 | 2.9.22

A Foreign Office hack is disclosed (but that’s it). Preparing for a cyber escalation in the hybrid war Russia’s waging against Ukraine. Multi-cloud threats. Patch Tuesday notes. Razzlekhan raps.

Transcript

Dave Bittner: Britain's Foreign Office sustained a cyberattack last month. The details are secret. Poland stands up a cyberdefense force as Europe and North America raise their level of cyber readiness. Negotiations over the Russian pressure on Ukraine are likely to be protracted. Threats to multicloud environments. Patch Tuesday notes. Dinah Davis from Arctic Wolf on keeping kids safe online. Carole Theriault examines Mozilla's Privacy Not Included campaign. And Razzlekhan rocks the mic.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, February 9, 2022. 

Dave Bittner: The Times reports that Britain's Foreign Office sustained a cyberattack last month. Details are publicly unknown because they're being considered a matter of official secrecy, but it is known that the attack was serious enough to warrant giving BAE Systems Applied Intelligence a contract for almost 470,000 pounds to help with response and remediation. The contract did not go through the normal competitive process due to the urgency and criticality of the work. Official sources offer no attribution, but The Times indulges some a priori speculation by pointing to recent warnings about Russian cyberthreats. 

Dave Bittner: The AP reports that Poland has appointed Brigadier General Karol Molenda to lead the country's new cyberdefense force. Defense Minister Mariusz Blaszczak framed the new command as a defensive measure taken in recognition of especially cyberthreats from Russia. Quote, "we are perfectly aware that in the 21st century, cyberattacks have become one of the tools of aggressive politics also used by our neighbor. For that reason, these capabilities are of fundamental key nature to Poland's armed forces," end quote. 

Dave Bittner: Reuters cites unnamed sources who say that the European Central Bank has raised its level of alert for cyberattack and has shifted its focus from the common financially motivated cybercrime to the prospect of state-directed attacks originating from Russia. The ECB is said to have queried banks about their readiness to withstand such attacks and that the individual banks are holding drills to increase their own state of readiness. The measures seem driven more by prudential considerations concerning the continuing Russian threat to Ukraine and by Russia's record of offensive action in cyberspace than they are by specific intelligence of any particular imminent threat. 

Dave Bittner: The U.S. has been unusually forthcoming with intelligence it's collected on Russian cybercapabilities and operations. The revelations are generally regarded as having undeniable utility as influence operations. But Politico says that some in the U.S. intelligence community think that too much may have been shared. There's also some concern that the releases may be unduly alarmist, especially when taken collectively and without other context. Politico quotes a former CIA officer, quote, "I am concerned about the long-term credibility of our intelligence with all of these select declassifications. If it turns out to be wrong or partially wrong, it undermines how much our partners trust the info we give them or, frankly, how much the public trusts it," end quote. 

Dave Bittner: Other observers think that simple deterrence is likely to restrain Russia from escalating its hybrid war in cyberspace. An op-ed in The Telegraph, for example, argues that Russia understands British and U.S. offensive cybercapabilities and that its calculus will tell them that an expanded cyberwar is one Moscow is unlikely to win. Task & Purpose reviews potential cyberthreats from Russia and concludes that none of them amount to shock and awe. It reviews five major cyber campaigns Russia has mounted against Ukraine, widely regarded as a testing ground as well as a theater of operations, since 2014 - election interference in 2014, power grid sabotage in 2015 and again in 2016, NotPetya economic disruption in 2017 and Bad Rabbit economic disruption in 2017. They rate the strategic effects of all but NotPetya as negligible. NotPetya's effect it rates as unknown. These are, of course, all actual attacks. There are other potential threats, especially large-scale and destructive attacks against power grids, whose consequences could be far more devastating than these. But the essay's account of the use of cyberattack as tactical adjuncts to military operations is interesting. 

Dave Bittner: The New York Times reviews the current state of multilateral negotiations and sees, if not stalemate, at least stasis. Its analysis foresees a drawn-out and dangerous diplomatic slog toward a difficult settlement. 

Dave Bittner: Russia has staged more general purpose forces near Ukraine - notably moving amphibious assault ships from the Mediterranean and toward Ukraine's Black Sea coast - while diplomatic efforts to reduce tension continue. Belarus continues to emerge as an important staging point for Russian conventional forces. No fresh, large-scale cyber activity, however, is being reported. 

Dave Bittner: The Guardian reports that French President Macron said Russia's President Putin gave him a personal assurance that Russia wouldn't be the one to escalate the conflict between Russia and Ukraine. President Macron communicated that assurance to his Ukrainian counterpart, President Zelensky, during talks yesterday in Kyiv. Zelensky, who has taken pains to downplay the imminence of Russian invasion while preparing for the worst, was politely skeptical, saying I do not really trust words. I believe that every politician can be transparent by taking concrete steps. 

Dave Bittner: Official Russian comment on French claims that Moscow had agreed not to undertake any new military initiatives was, however, dismissive. Spokesman Dmitry Peskov, said, quote, "This is wrong in its essence. Moscow and Paris couldn’t do any deals. It’s simply impossible. France is a leading country in the EU, France is a member of NATO, but Paris is not the leader there. In this bloc, a very different country is in charge. So what deals can we talk about," end quote. 

Dave Bittner: Researchers at security firm VMware this morning issued a report on threats to Linux-based multi-cloud environments. It finds that ransomware is hitting Linux host images used for workloads in virtualized environments, that most cryptojacking uses XMRig-related libraries, and that most users of Cobalt Strike are using it for criminal purposes. 

Dave Bittner: Yesterday was Patch Tuesday, and Microsoft fixed 48 problems, including issues with Windows Kernel, Hyper-V, Microsoft Outlook and Office, Azure Data Explorer and Microsoft SharePoint. In some respects, it was a relatively light Patch Tuesday, even by the unexacting standards of February - traditionally a month whose Patch Tuesdays have been comparatively unexacting. Microsoft, which, we note in disclosure, is a CyberWire partner, addressed one zero-day, a kernel privilege-escalation vulnerability, but neither this nor the 47 other problems fixed were rated critical. Threatpost calls the absence of any critical vulnerabilities in the list of patches unheard of, and indulges an effusive oh, blessed day in its review of Redmond's latest Patch Tuesday. But, of course, constrain the joy to moderate levels, and don’t get cocky, kid - even merely important vulnerabilities should be fixed. 

Dave Bittner: And CISA yesterday also issued two more industrial control system advisories, both for Mitsubishi Electric products. 

Dave Bittner: And finally, hey, everybody, did you know that one half of the couple arrested this week on charges of conspiracy to commit money laundering in the Bitfinex caper was not only a CEO, but a writer, an economist, a journalist, an influencer, an artist, a rapper and a motivational speaker? She is, you know, although the future course of her career is now uncertain. 

Dave Bittner: We’re talking, of course, about Heather R. Morgan, snaffled up earlier this week by the FBI and the Treasury Department. She actually was a contributor to Forbes between 2017 and 2021, now listed as a former contributor, where she published insufferably self-referential, fizzy, knowing puff-pieces about minor, trivially transgressive celebrities. She also sometimes wrote about entrepreneurship, negotiation and security - and, of course, above all, about her very own self and her mad business skills. You can still find those online. 

Dave Bittner: What we can’t find online anymore are Ms. Morgan's rap videos, but they were there as recently as yesterday. They’ve now been taken private on YouTube for reasons we can only speculate about. Don’t want to prejudice a potential jury pool? Who knows? 

Dave Bittner: Anyhoo, we wouldn’t have linked to them anyway, because they’re kind of potty-mouthed and we’re a family show, but we did listen and even watch. Others did, too, but apparently most of them only paid attention, Reuters says, after the indictment was announced. Reuters is kind of crabby about the quality of Ms. Morgan’s rhymes, but to tell the truth, they were kind of painful. Quote, "You don't even know me - start a company at 23," said one. She also strove for some gangsta swagger like, "got no clue what I'm about - could gut you like a trout." Of such things are influencers made. 

Dave Bittner: She called herself, in her videos, the crocodile of Wall Street, and used the nom de rap Razzlekahn. The Razzlekahn website is still up, if you’re curious. We’ve been there, and the clue we get about what she’s about is probably up to no good. We’ve been pondering, without any maundering. Maybe that was laundering - allegedly. 

Dave Bittner: The Mozilla Foundation recently created a campaign they're calling Privacy Not Included. Our U.K. correspondent Carole Theriault took a closer look, and she files this report. 

Carole Theriault: If you read the tech press, you will regularly see information from tech firms. Maybe it's research from a survey they did, or it's a brand-new product or service they've launched. And let's be honest. They're not always riveting or, more importantly, useful. But I recently saw a campaign called Privacy Not Included, and it's run by the Mozilla Foundation, the creators of Firefox, a browser that has been championing its privacy features. 

Carole Theriault: So our friends at Mozilla have created an IoT creep-o-meter (ph), for lack of a better term. Effectively, it's like a consumer report for its connectivity and privacy features. And it's not exhaustive, but they certainly have done a great stab at covering all the products that people might own. So they have smart home tech, smart toys and games, smart entertainment, wearables, health and exercise, pets, video calling apps and dating apps. 

Carole Theriault: OK, let's take a look at one. Let's say it's a brand-new year, and I want to get fit, and I want to purchase a rower. And let's say I lost my mind and wanted a smart rower. Let's go see if the Mozilla Foundation's Privacy Not Included campaign has a rower listed. Woot. They do. OK, so they have the NordicTrack rower here. And I also see an exclamation mark with an asterisk saying Privacy Not Included. Very high up in the article, they say NordicTrack's privacy policy is an exercise in awful. They say they can sell your data. They can call or text your phone number even if you are on a do-not-call list. They may get data from data brokers and use it to know more about you in order to more effectively target you in their ads. 

Carole Theriault: Mozilla go on to say that if you buy a NordicTrack exercise machine and sign up for their iFit app for workouts, expect your data to be collected, used to target you with all kinds of ads. Your phone number is now fair game for marketing texts or phone calls from them, and your data is possibly being sold to third parties. Oof. And this is just one of the hundreds of products that they've reviewed. 

Carole Theriault: When I say reviewed, what I think's going on here is someone has been reading the privacy statements associated with each of these products because that is where a company has to list what it's going to do with your data. But hey, if that's not your bag, you can now go to this Privacy Not Included campaign and check out a product. And if one is not listed, they say, hey, just send it to us, and we'll take a look. The advantage here is that Mozilla is writing the information in very plain language so that all of us can understand and we're not bamboozled by legalese. I'm hoping that we will see more tech campaigns like this in 2022. This is Carole Theriault for the CyberWire. 

Dave Bittner: I am pleased to be joined once again by Dinah Davis. She is the VP of R&D operations at Arctic Wolf and also the founder of Code Like A Girl. Dinah, always great to have you back. 

Dinah Davis: Thank you. 

Dave Bittner: You know, you and I are both parents, and as such, I think - oh, gosh, we spend a certain amount of time thinking about what our kids are up to online, trying to keep them safe. I just want to touch base with you. What sort of things are in your day-to-day of keeping the little ones out of trouble? 

Dinah Davis: Yeah. So I think it changes as they age a little bit, right? First thing would be, you know, if you're a parent of smaller children - and since we just went through Christmas, you may have gotten them some pretty cool toys. If any of those are connected to the internet, you definitely want to secure them, right? So do your research. Read the privacy policy. How will the manufacturer use that data? Can you delete the data? Can you secure the device? Can you connect it to a guest network? Make sure, if there's passwords, you change the default settings, or add a password if you can, right? And don't share any identifying information. And if there's, you know, Wi-Fi connected, Bluetooth, cameras, microphones and the toy is not being used, consider completely shutting it off. That way, it can't listen in the background, right? 

Dinah Davis: That's for the little ones. But, you know, I have one that's getting a little older, entering her teen years. And yours are also a little bit older than that. You know, make sure, you know, they are never using their real names on gaming systems, right? So they should have a - you know, a handle or something. My daughter has a couple of handles she likes to use all the time. And I say, never use your real name. You don't know who you're talking to. Make sure they know that people can pretend to be other things online, and never meet up with anyone that is, you know, talking to you, or try and connect with them separately. And know who your children's online friends are - easier when they're a little younger, harder when they're in their late teens. I mean, we're going to - that's - you have to just teach them a little bit on how to behave online, right? Try to keep them off social media as long as possible (laughter). 

Dave Bittner: (Laughter). 

Dinah Davis: That's like - you know, like, as long as possible... 

Dave Bittner: Right. 

Dinah Davis: ...For so many reasons, so many reasons. 

Dave Bittner: Yeah. 

Dinah Davis: If you can't - right? - like, you know, at some point, it's... 

Dave Bittner: Let's say when you can't (laughter). 

Dinah Davis: Yeah. Let's say that, yes, because there will be that day for me, too. Absolutely. When you can't, you know, you should join all the social networks they're on. You should friend them, as much as they may not want that, so that you can, you know, at least see what's going on and be aware. Make sure they know how to report inappropriate behavior and offensive posts on any social network they're on. Make sure they know how to block someone and when they should do that and why. And tell them to keep some information private, right? And then also always teach your kids to never share their location. And when you go into these apps, make sure and go and check with them and show them how to set it up so that the location tracking is not on or shared whenever they post, right? Those are big things that a lot of the social networks have. 

Dinah Davis: Finally, I go to my story where, you know, my child was - I think she was maybe 6 or 7, and she was able to iMessage with one friend and her family. And she sent a picture to her friend very innocently, and it kind of showed some stuff it shouldn't have showed. And the mom messaged me and went, she just sent this. And I'm like, what? And so... 

Dave Bittner: (Laughter).

Dinah Davis: I mean, it was so innocent. It was such an innocent thing that she did. 

Dave Bittner: Right. 

Dinah Davis: And so I explained to her. I said, look; anything you send to one friend or post on any social media or anywhere on the internet, imagine that one thing - whether it's a sentence, a picture, anything - imagine that thing blown up as a 10-foot poster in your classroom. If you're not OK with that poster being up in your classroom, you can't share whatever that is online because it doesn't matter even if you just send it to one friend and you trust them. You don't know if somebody else gets their phone, if they - all of a sudden you have a fight, and then they're going to share something else. So anything you share online should be absolutely OK being broadcast to the entire school as a large poster and you standing right beside the poster. And that seemed to be pretty effective, and I think it actually works for, like - but it works for kids at, like, so many ages - right? - because they don't - especially when they're younger, they don't understand what it means to be on the internet everywhere, right? They don't get that concept, right? But they know what it is to have everyone in your class know something about you that you didn't want to know. 

Dave Bittner: Yeah. No, that's a really - that's an effective message, I think. I like that a lot. All right. Well, Dinah Davis, thanks for joining us. 

Dinah Davis: You bet. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.