The CyberWire Daily Podcast 3.17.22
Ep 1537 | 3.17.22

Debunking deepfakes. Hacktivism and information warfare. The prospect of “splinternets.” Germany warns of security product risks. Disruption of Ukrainian ISPs. New wrinkles in phishing.

Transcript

Dave Bittner: Not-so-deepfakes debunked. Hacktivism and information warfare in Russia's war against Ukraine. The prospect of an age of splinternets. Germany warns of risks from Kaspersky security products. Disruption of Ukrainian ISPs. David Dufour from Webroot on cyberattacks hitting the automotive sector. Carole Theriault ponders parental disclosure of tracking kids. And three new wrinkles to social engineering.

Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, March 17, 2022. 

Dave Bittner: We begin, as we have been, with some notes on Russia's war against Ukraine, since that war has set the conditions under which most events in cyberspace are playing out. Diplomacy continues even as Russia intensifies the brutality of its attacks against civilians. The Telegraph reports that negotiators are considering a 15-point plan that would, among other things, require Ukraine's neutralization but would permit it to maintain a smaller army. It's unclear that the plan would be acceptable to either side. 

Dave Bittner: A faked video appeared yesterday that seemed to show President Zelenskyy asking Ukrainian soldiers to lay down their arms. According to NPR, the video was crudely prepared, badly lip-synced - voice and accent wrong, head not quite matching the body and so on - which would make it seem more shallow than deepfake. It was swiftly debunked but was nonetheless widely amplified on Russian platforms. President Zelenskyy said in response that the only people he'd invited to lay down their arms were Russian soldiers. Meta detected and removed the phony video from its platforms. Meta's Nathaniel Gleicher took to Twitter to explain. Quote, "earlier today, our teams identified and removed a Deepfake video claiming to show President Zelenskyy issuing a statement he never did. It appeared on a reportedly compromised website and then started showing across the internet. We've quickly reviewed and removed this video for violating our policy against misleading manipulated media and notified our peers and other platforms," end quote. He directed readers to Facebook's policy against manipulated media. 

Dave Bittner: Duo Security has been following what it characterizes as a significant rise in hacktivism during Russia's war against Ukraine. The company writes, quote, "volume of activity has spiked, but we're also observing novel approaches to organizing and attempting to circumvent obstacles. This will likely continue in the coming weeks and months as the war develops," end quote. Some of that novel organization may be found in the hands-on, hands-off approach the Ukrainian government has taken to mobilizing hacktivists. It may also be seen in the work of the hacktivists themselves who've adopted such techniques as texting Russians with news to counter Kremlin propaganda. Hacktivists have also, according to The Washington Post, turned to such hoary Cold War throwbacks as shortwave radio to get messaging through Moscow's increasingly walled-off internet. 

Dave Bittner: He's really not a hacktivist, but one celebrity who's seeking to reach the Russian people is Arnold Schwarzenegger, who posted a direct appeal with Russian subtitles to both Twitter and Telegram. President Putin's response to any inside Russia who might listen to such appeals, and especially to those who might spread them, has been direct and couched in brutal, contemptuous terms. Russia will spit out the traitors and scum who spread Western lies, and Russia will be the stronger for it. Bloomberg reports Mr. Putin's remarks as follows. Quote, "any people, and particularly the Russian people, will always be able to tell the patriots from the scum and traitors and spit them out like a midge that accidentally flew into their mouths. I am convinced that this natural and necessary self-cleansing of society will only strengthen our country, our solidarity, cohesion and readiness to meet any challenge," end quote. 

Dave Bittner: That's the heavy stick delivered by a leader whose self-presentation has been characterized by plenty of imperial trappings, from long, long tables to elaborately liveried guards. Contrast that with his opponent's self-presentation, which has generally been shabby chic, including President Zelenskyy's stubble and T-shirt worn during his address to the U.S. Congress. In general, observers see Ukraine as the clear winner in the war of influence. One of the consequences of Russia's disconnection from the internet - and that disconnection is both self-imposed and a consequence of external sanctions - is the creation of a splinternet, a process that MIT Technology Review worries might be difficult to reverse. Russia's creation of its own TLS certificate authority as it moves to evade the consequences of sanctions also poses broader security risks. CSO Magazine points out that traffic interception and man-in-the-middle attacks are likely side effects of the new authority. The risk is principally to Russian internet users. 

Dave Bittner: Germany's information security agency, the BSI, explains its warning against using Kaspersky antivirus products. The problem is that security products require extensive permissions in the systems they protect and that they also maintain an enduring persistence in those systems. Russia, the BSI thinks, is fully capable of deciding to force Kaspersky to hand over data on its customers, perhaps even give Russian intelligence services access to customers' systems. This risk has grown during Russia's war against Ukraine, and the BSI recommends replacing Kaspersky products with other vendors' equivalent systems. Kaspersky feels ill used, with some arguable justification, since the warning is based on an assessment of possibilities and not on actual evidence of misconduct. The company responded, quote, "we believe this decision is not based on a technical assessment of Kaspersky products that we continuously advocated for with the BSI and across Europe but instead is being made on political grounds," end quote. That's probably right. But unfortunately for Kaspersky, in the BSI's eyes, it's irrelevant. The BSI's concerns are that Russia could pressure Kaspersky in ways the company couldn't control or probably resist and that the risk of such pressure during wartime is simply too great to overlook. 

Dave Bittner: Triolan, a major Ukranian internet service provider, has faced periodic disruptions since the Russian invasion began. CPO Magazine reports that attackers, presumably Russian, had set Triolan internal devices back to factory defaults, which effectively knocked them offline. Other Ukrainian ISPs have experienced similar service disruptions as recently as last week. Three reports today outline new techniques in social engineering. In the first, researchers at Trustwave's SpiderLabs describe chameleon phishing pages. That is a page that adapts its colors and logos to fit the intended victims' predilections and presuppositions - the better to induce them to enter the credentials the scammers are trying to steal. The elements that change include the page's background, a blurred logo, the title tab and the capitalized text of the domain from the email address provider. Phishing pages are typically short lived and quickly exposed. Chameleon pages offer criminals the advantage of being able to easily re-use them. 

Dave Bittner: Armorblox describes a campaign that's targeting employees at a large U.S. insurance company. The scammer sends an email purporting to be from Instagram support, telling the intended victim that they've been reported for violating copyright laws. If the victim doesn't respond within 24 hours - and the response, of course, involves presenting credentials - quote, "your membership will be permanently deleted," end quote. Social apps often interpenetrate business apps, especially during periods where remote work is common. And that makes this particular brand impersonation campaign more menacing. 

Dave Bittner: And finally, Avanan has an account of how criminals are using CAPTCHA to bypass security filters. The scammers use CAPTCHA forms sent from legitimate domains in their emails. This often bypasses scanners and permits the phishing email to reach the intended victim's inbox. Once the victim tries to access the content, the attacker asks that they enter their credentials to do so and, all too often, the victim complies. 

Dave Bittner: Among the many things that parenthood has taught me is just how much my own parents were likely looking the other way when me or my siblings were up to no good, picking their battles and letting us think we were getting away with a lot more than we actually were. In today's online digital age, parents have access to a variety of online tools to keep tabs on their offspring. The CyberWire's Carole Theriault has been considering this reality, and she files this report. 

Carole Theriault: A recent survey from Malwarebytes revealed that 70% of parents track their kids online. And depending on the age of the child, a parent might want to watch their socials or know what websites they visit, monitor where they are at any given time. But get this - more than a third of parents who track their kids admitted that they do this without consent. And I was rather surprised. It seems that family tracking apps have exploded in popularity over the past decade or so. No doubt that a typical parent's natural instinct is to protect their children. And let's not forget that parents are also legally liable for their kids until they turn 18. So if they get into trouble, I can understand that most parents want to know immediately. And, of course, technology helps with that. 

Carole Theriault: But some experts question whether monitoring online life is actually helpful at protecting the kids. Sonia Livingstone, a professor in the Department of Media and Communications at the London School of Economics and Political Science, told the BBC that there is, in fact, quote, "zero evidence that any of these apps keep children safer," unquote. Livingstone also said that there's indeed a real risk that parental monitoring, quote, "moves from being intrusive to abusive." And she argues that "it's crucial to our autonomy and our personal integrity not to have our every private thought observed. And that's what private means," unquote. 

Carole Theriault: So I'm thinking about this as an adult. If I got employed somewhere, I would very much like the company to explain if and how they track my behavior before I accept the job rather than me find out they're doing it surreptitiously down the line. Or if I got into a relationship with someone only to find out that they've put a smart tracker on my car and loaded monitoring apps on my phone without my consent, I would be livid. I mean, finding out that you've been tracked without your knowledge or consent has got to be a nasty shock, whether you're a kid or an adult. I'd worried it would erode trust, respect, maybe even increase stress and anxiety. 

Carole Theriault: Well, Britain's privacy watchdog has weighed in on this and says in its data protection guidelines that companies that provide parental tracking capabilities to monitor children through their services need to take care. It says if your service allows parental monitoring or tracking of a child, you should provide age-appropriate resources to explain the service to the child so that they are aware that the activity is being monitored by the parent or their location tracked. You should provide a clear and obvious sign for the child, such as a lit-up icon, which lets them know when monitoring or tracking is active. And they also say that children who are subject to persistent parental monitoring may have a diminished sense of their own private space, which may affect the development of their sense of their own identity. 

Carole Theriault: As the parental monitoring market expands, in some places with little to no regulation, it is up to you families out there to think about how you want to proceed. Perhaps an open and honest discussion about whether monitoring is appropriate at all, and if it is, what monitoring is appropriate and how can it comfortably be used? I mean, this might be a good place to start. This was Carole Theriault for the CyberWire. 

Dave Bittner: And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at OpenText. David, always great to have you back on the show. Want to check in with you, touch base on some of the things I know you have your eye on when it comes to cyberattacks, specifically within the automotive vertical. What can you share with us today? 

David Dufour: Yeah, you know, David, there was a big to-do. I think you can remember five or six years ago, I had rented a jeep, and I was trying to get you to drive around in it so I could then take over remotely and, you know, drive it into... 

Dave Bittner: Yeah. 

David Dufour: ...A ditch. But you wouldn't fall for it. 

Dave Bittner: No, I was one step ahead of you. 

David Dufour: You were. But, you know, there was the big to-do about remotely hacking the jeep. I think it was 2015, 2016. 

Dave Bittner: Yeah. 

David Dufour: They were demonstrating that at Black Hat. And then it's kind of gone by the wayside. A lot of times we think about vehicles as industrial components and not a lot of focus is put on those. But, you know, vehicles have 150, you know, electronic control units. They have millions of lines of - hundreds of millions of lines of code in them. They are ripe to be attacked, especially if you're attacking infrastructure. But one person's opinion here - I don't think it's going to be the I'm going to play a joke on my friend and drive his car off the road. I think what we're going to see happen here is more of things where you maybe have ransomware attacks because cars are so plugged in... 

Dave Bittner: Right. 

David Dufour: ...At this point, and you're going to have to pay somebody a ransom to unlock your car. 

Dave Bittner: Yeah. 

David Dufour: I see things like that happening in the not-too-distant future. 

Dave Bittner: Yeah, I agree with you. I could see folks walking out, you know, to head to work and the screen popping up and saying, if you want to be on time this morning, you know, that'll be 20 bucks or a hundred bucks or a thousand bucks. Who knows? 

David Dufour: Right. 

Dave Bittner: You know, but along those lines, we've seen things from some automotive manufacturers have been kind of dipping their toe in the water of moving some things to subscription services. You know, if you want to have those seat heaters, instead of just buying it from the dealer, you know, it will be a monthly fee. So it's interesting how that connectivity that the vehicles have, that they're able to activate and deactivate things using software and over-the-air updates. 

David Dufour: And to keep going with that example, you know, there's even a commercial that shows a car - that it's basically a big smartphone. To that example of subscriptions and things of that nature, you can get online. And there are people - there's a very popular electronic car manufacturer. People are rooting their car and using it to mine crypto. I mean, if I pay $100,000 for an electric vehicle, I'm not going to root it... 

Dave Bittner: (Laughter). 

David Dufour: ...Mining crypto on it. 

Dave Bittner: What could go wrong? 

David Dufour: But people are doing that. What could possibly go wrong? 

Dave Bittner: Yeah. 

David Dufour: But this is happening. And I think a lot of times we think of cars as a refrigerator or a washing machine. I mean, they're fancy. We like showing them off. But they are vulnerable. As you and I always talk about, yes, the first wave of attacks are academics or people that are curious in any type of, you know, cyber issue that you see. But then that next wave are people who come up with ways to monetize those attacks, and I think we're going to see that start to happen here as these cars become more connected. This is why I drive a 1946 Jeep... 

Dave Bittner: (Laughter). 

David Dufour: ...CJ-2A (ph) with no electronics. 

Dave Bittner: Right, World War II surplus. Yeah. 

David Dufour: Exactly. 

Dave Bittner: Right. Sure. No, that makes sense. It also explains why you're single, so there you go. 

(LAUGHTER) 

David Dufour: Exactly. 

Dave Bittner: All right. Well, David Dufour, always a pleasure having you on the show. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.