Online fraud, some targeting shoppers and investors, others going after e-commerce retailers. Updates on the cyber phases of Russia’s hybrid war.
Dave Bittner: The FBI warns of malicious advertising. A new gang makes an unwelcome appearance in the holiday season. Ukraine will receive more Starlink terminals after all. Cyber phases of the hybrid war - a view from Kyiv. The bears and their adjuncts are opportunistic agents of chaos. Caleb Barlow thinks boards of directors need to up their cybersecurity game. Our guest is AJ Nash from ZeroFox with a look at legislative restrictions on TikTok. And reports say that U.S. National Cyber Director Chris Inglis is preparing to retire. We wish him the best of luck.
Dave Bittner: From the CyberWire Studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 22, 2022.
FBI warns of malicious advertising.
Dave Bittner: The FBI has issued a warning that cybercriminals are actively pursuing victims by dangling malicious ads in front of them. The bureau says cybercriminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information. The bureau points out that, of course, advertising isn't necessarily or inherently nefarious but that internet users should approach the ads their search engines deliver with the same informed skepticism they would bring to any other occasion for social engineering. Malvertising can appear in any number of contexts, of course, but the bureau points out that the recently observed bad behavior has been connected with financial services and often with financial services of a very particular kind. The FBI says in its warning, these advertisements have also been used to impersonate websites involved in finances, particularly cryptocurrency exchange platforms. These malicious sites appear to be real exchange platforms and prompt users to enter login credentials and financial information, giving criminal actors access to steal funds. So there you go.
Dave Bittner: The bureau doesn't say so, but we will. There is nothing inherently nefarious about cryptocurrencies, nor is there, in principle, anything dicey, shady or loosey-goosey about the exchanges on which such currencies are traded. Whatever the mistakes allegedly made, for example, in the FTX affair - you know, the ones that cut Mr. Bankman-Fried's stay in the Bahamas short - that doesn't mean that all such exchanges and speculation are necessarily crooked or foolhardy. But don't get caught up in the mania. There was nothing inherently nefarious about tulip bulbs in the 1630s, either, but that didn't keep a lot of good Dutch Burghers from losing their shirts speculating on flowers. The FBI offers advice for individuals. Check URLs. Consider using an ad blocker. And if you know a firm's URL, consider typing that instead of searching for the company by name. The bureau also has some tips for businesses. Use domain protection services and educate your users. So as the mad men of Madison Avenue used to say back in the day, it pays to advertise, and the criminals know this, too. Recognizing fraud gets easier when you know that the crooks are buying search engine ads to push their schemes.
A new gang appears in the holiday season.
Dave Bittner: The fraud the FBI is warning against threatens individuals seeking to make online trades or purchases. There are also threats to businesses engaged in e-commerce. Security firm Signifyd reported this morning that a new cybercriminal gang has made an appearance during the holiday season. The firm's research indicates that the gang, which appears to be based in Southeast Asia, made a tentative appearance almost a year ago but hit with full force last month. So the earlier attempts at fraud were self-consciously trial runs and reconnaissance, Signifyd thinks. It seems to be a patient, confident and well-organized retail fraud operation established to bilk online retailers. The unnamed group made off with an estimated $660 million in stolen laptops, cellphones, computer chips, gaming devices and other goods in the month of November alone. The threat is immediately to e-commerce retailers, only secondarily to consumers. So as the holidays have a couple of weeks, more or less, to run, keep your guard up, online merchants.
Ukraine will receive more Starlink terminals.
Dave Bittner: Potential difficulties now resolved, Ukraine says, according to Bloomberg, that it will receive more than 10,000 additional Starlink terminals from SpaceX over the next few months. SpaceX founder Elon Musk had said some things at the end of October that suggested Starlink service to Ukraine might prove too expensive to continue, but those issues have now apparently been addressed. Starlink has been important in restoring and maintaining Ukraine's internet connectivity, briefly disrupted during the opening days of Russia's war. The resilience the satellite-based communications system offers has been of significant value to Ukraine under wartime conditions.
Cyber phases of the hybrid war: a view from Kyiv.
Dave Bittner: Victor Zhora, deputy chief of Ukraine's State Service of Special Communications and Information Protection, spoke at length with The Wall Street Journal about the state of cyber operations and the present war. Zhora said, We are facing tens of cyber incidents daily. That means that they have a lot of resources, that they are seeking opportunities every day. Their strategy is seeking vulnerabilities, is providing attempts to gain persistence in networks, attempts to exfiltrate data, attempts to disrupt services in Ukrainian government entities, the telecom sector, critical information infrastructure and seeking impact that they can bring to all the infrastructure. It's a strategy of opportunistic attacks seeking to induce chaos in the target. Zhora says that's the strategy - an opportunistic strategy, a chaotic strategy but a strategy that is focused on harming Ukraine, on bringing impact to our economy, to our infrastructures, to our everyday life and to our resilience.
Reports: US National Cyber Director Inglis to retire.
Dave Bittner: And finally, CNN reported that Chris Inglis, who since July of 2021 has served as U.S. national cyber director, will leave his post in the next few months. He's the first to hold the position, which the administration created last year, and his intention is to retire. We wish him all the best in his final weeks on the job, hope he enjoys a long and happy retirement. And we thank him for his service not only in the White House but in the years he spent at NSA before that.
Dave Bittner: Coming up after the break, Caleb Barlow thinks boards of directors need to up their cybersecurity game. Our guest is AJ Nash from ZeroFox with a look at legislative restrictions on TikTok. Stick around.
Dave Bittner: The popular social media platform TikTok continues to draw scrutiny from U.S. legislators, primarily over concerns of Chinese ownership of the platform and the potential security implications that come from that. Several U.S. states have banned the TikTok app from government devices, and it looks like the feds are following suit. For more on this story, I checked in with AJ Nash, vice president and distinguished fellow of intelligence at ZeroFox.
Aj Nash: There's - 19 states now have at least partially blocked access to TikTok on government endpoints, government computers. I think there's actually 20 states. Like, Indiana has a lawsuit. West Virginia and Louisiana were the last two to just join. I saw Washington might be next up. So it's going to continue, I think, on the state sides. From the federal standpoint, as you said, the federal government has a ban. In fact, they just shoved that into the $1.7 trillion omnibus funding bill. So it's pretty well-accepted as a bipartisan challenge. So I think that's going to pass through because certainly the funding will anyway. And I don't see this getting cut out or argued about.
Aj Nash: You know, this has been brewing for a while. You know, you have a company that's based in China that owns this technology, and there really isn't - Chinese private enterprise isn't like U.S. or Western private enterprise. The separation between business and government isn't the same. Chinese companies can be compelled to cooperate with the government, assuming they don't do it of their own free will anyway. So the risk is pretty high. And this is a massive platform with a lot of content that is almost certainly available to Beijing, you know, to the Chinese government.
Dave Bittner: From your perspective there with your colleagues at ZeroFox, what are the legitimate concerns about TikTok in terms of the information it gathers both overtly and behind the scenes?
Aj Nash: Yeah, that's probably the biggest question, you know, I can ask right now or we all, I think, in the industry are being asked - is, why does this matter? What is TikTok's threat? What does it do? And, you know, there's a subtle piece to this thing people don't necessarily gather. TikTok can be used as a massive collection platform for personal information, for interests, for pattern of life analysis. It gets into all sorts of sentiment analysis. You know, the Chinese government has invested a lot of time, energy and money in big data processing, and this is another big data capability. So if you can bring all of that content in, you're able to analyze that and understand what's popular, what's trending or what is likely to trend, for instance. That can be used for sentiment manipulation. You know, popular opinion can be changed through social media.
Aj Nash: You know, also, again, you can collect against just understanding what are the trends in marketing, what are the trends in brand, what - you know, what might be readiness for military, right? We have military folks that have been on TikTok. There's so many aspects of collection that come into play with a platform like this when you think of it in the macro scale. Most of us think of us the way we think of ourselves. Well, I'm not doing anything very interesting. I'm just posting a video here, or, you know, I want to just put my art there - and not necessarily understanding the larger-scale impact as it relates to your workplace, as it relates to your institution of education or any of those other factors.
Aj Nash: But to me, the biggest piece is - it comes down to two pieces, I guess. It comes down to the ability to collect just a vast amount of content, again, about trends, about personal information, about perhaps business information and the ability to influence, which I happen to think is incredibly concerning right now. I think the government does as well. We've seen a lot of influence campaigns over the last - boy, I don't know - at least six years or so publicly talked about...
Dave Bittner: Yeah.
Aj Nash: ...Influencing how people think about vaccines, how people think about elections, how people think about just about anything, right? So the ability to have a platform, to control a platform that can control the message in subtle ways that may not be noticed is remarkably concerning.
Dave Bittner: Now, the folks who run TikTok are saying that there's a lot of misinformation about what they do and how they do it and that they've put up their own firewalls to prevent China from demanding this information. Do those arguments hold any water?
Aj Nash: Well, I don't have a great deal of faith in those arguments personally, and neither does our government, apparently, based on what we're going forth with. I think the challenge we have - and this isn't about trying to demonize anybody, and this is, I think, one of the concerns we have. In this country whenever we talk about foreign countries and their governments and how they do things, is this demonization. That's not the point. China just does things differently. Their government is structured differently. Their culture is structured differently, and they have different sets of standards. Whether that's right or wrong is a totally different discussion.
Aj Nash: But in China, the understanding has been for a long time that there really are no abilities to create firewalls. Companies who decide they want to go against the Chinese government - those leaders don't end up running those companies much longer. You know, so I appreciate what the leadership for this company is saying, and I understand the position. It's certainly a strong business position to take. But no, I don't happen to believe that there's the ability to withstand government intervention. In fact, it's written directly into the laws in China that the Chinese government can demand this content. So my assumption and I think our government's assumption is that this information goes to Beijing.
Dave Bittner: How much do you think this is going to matter, the banning of TikTok on the devices of folks in the government, at the state level, at the federal level? It's still presumably going to be as popular as ever for consumers.
Aj Nash: Yeah, I think that's true. I think, you know, this is a good symbolic gesture. I think it's important. But frankly, TikTok probably shouldn't have been on any of these devices to begin with. You know, there would be few, if any, people within government agencies who would have an official need to be using TikTok. And if you don't have an official need for anything, any technology, it shouldn't be on the device, you know, when you're talking about government, state or federal government. So I would imagine in most cases these already didn't exist. For those who had TikTok on their endpoints, on their phones or on their computers, chances are they were doing it in violation of some policy anyway, and they'll just be rooted out. So I don't think it's going to have a massive impact in that regard. I think you're right. I think hundreds of millions of people use this platform in private lives and will continue to.
Aj Nash: I do think this can create the next step, though. If you see government start taking these actions, then you could be looking at private companies, say, well, we should probably follow suit. There's a reason to believe there's a risk. So you'll see private companies start to take this action. And then the question becomes, how far do you project that out? Can a private company have a policy about how their employees interact or work within social media, which I think we've proven that is absolutely possible to do? So I think we're going to see this continue to grow. And that's where I believe the impact will come, is when we see the government, if we see private enterprise start having policies about how their own employees are able to interact on social media in places like TikTok. And they may well be banned from having any reference to the company within TikTok, and that could open up all sorts of other discussions.
Dave Bittner: That's AJ Nash from ZeroFox.
Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. He is the founder and CEO at Cylete. Caleb, it's always great to welcome you back to the show. Something you and I have talked about in the past is the positions of boards of directors and, you know, the degree to which they have expertise in cybersecurity. Where do you suppose we stand now?
Caleb Barlow: Well, let's talk about this in the context of a public company, Dave. And, you know, this topic comes up about every six months. You know, the Securities and Exchange Commission weighed on this issue earlier in the year by proposing new rules for public companies and how they oversee cybersecurity. There's even a bill in Congress. This proposed a similar rule, and the idea being that, you know, various regulators saying, hey, boards of directors need to have someone on the board with cybersecurity expertise. And, you know, at first blush, this sounds like a really good idea. And I think it is. But we as the cybersecurity industry have probably got to start stepping up our game to both be prepared for this, but also to help define what is an acceptable skill as cybersecurity expertise. And what's interesting - when you talk with boards, you hear all kinds of crazy stuff about how somebody had - oh, well, we had a breach in my past company, so I have cybersecurity expertise.
Dave Bittner: Oh, I see.
Caleb Barlow: Really? You have expertise as a victim. That's probably not ideal. Right? But...
Dave Bittner: Right. It's like saying I was in a plane crash so I can fly the plane.
Caleb Barlow: Right. Right. Yeah. So there is an analog here, which is really how financial expertise, which is also required on a board of directors, is structured and the structure with the audit committee. So the basic idea is that a board needs to have independent board members - so key word here, independent, meaning that they're not part of the company's management - that has financial expertise. So this would typically be somebody that's maybe a CFO or a retired CFO at another company. In addition to that, there's an audit committee. And, you know, so that is, again, a committee of the independent board, typically with more than one person that has financial expertise, that is supplemented with, you know, a company that's doing the audit.
Caleb Barlow: Well, think of the analog in a cybersecurity company. You probably have a third-party assessor that is kind of equivalent to that audit that is evaluating the company and providing advice and guidance. And they're probably now reporting that in it (ph) are hired by the board versus hired by the CISO. But that individual with cybersecurity expertise is probably a CISO at another company and/or a retired CISO, or maybe somebody with prior law enforcement experience or investigative experience. We've got to start seeing that those still step up, but it's going to mean that we've got to do some things as a community to up our skills.
Dave Bittner: Well, so what does the vetting process look like then, ideally?
Caleb Barlow: Well, the first thing to understand about corporate boards is there's definitely a demographic, and unfortunately, cybersecurity is going to break this demographic, right? If we look at who's on boards, it's typically people 50-plus...
Dave Bittner: Yeah.
Caleb Barlow: ...That are either retired or near retirement and have lots of expertise. That's why you want them on your board, right? Well, guess what? Anybody over 50 didn't grow up - you know, nobody over 50 went to school and studied cybersecurity. This is too new of a field. So now, granted, there's plenty of 50-year-olds that have migrated into it.
Dave Bittner: Yeah.
Caleb Barlow: But I think the reality here is the first thing we're going to have to recognize is boards are going to have to start getting comfortable bringing some talent onto the board that's probably significantly younger than a lot of the board members and which also probably means they're still in the middle of their career, which is also very different than what you have on boards. But as a community, we're going to need to start stepping up our skills because the language in discussion at a board level and the expectations of someone on a board is totally different than what you would see in a management meeting, right? You're there to guide and advise, not to run the company. And that's a very different set of skills than, you know, a lot of CISOs out there have today.
Dave Bittner: Well, help me understand. So should we be looking for board members for whom their primary role is to be the cyber person? Or are we looking for board members who we bring in for other reasons but who have a certain degree of cyber knowledge as well?
Caleb Barlow: Well, let's think of it in terms of how the governance flows. And governance is a key word here 'cause that's what a board does, is provides governance. So when the CFO prepares the financial statement for the company, they prepare it. It's evaluated by a third-party auditor. They present it to the audit committee. The audit committee asks questions. And more often than not, the audit committee may have directions that they want the CFO to take in terms of, you know, how specific costs may be evaluated, moving, you know, specific funds around, what level of, you know, cash we maintain at the company. Those discussions are going to occur at the board level. They're collaborative. But at the end of the day, they're a top-down discussion on the board, where the board is ultimately deciding on the strategy, and the CFO is an instrumental part of defining that as well, but the CFO is executing, right?
Caleb Barlow: Now let's contrast that with the discussion that occurs today with your average CISO walking into a board meeting. The CISO walks into the board meeting and explains the cybersecurity posture of the company and is educating the board. The board, without the cybersecurity expertise, has no idea, most often than not, what in the world the CISO is talking about, and they're getting educated by the CISO. So the board is making, really, a decision of, do I trust this individual in their judgment or not? Which is fine, but they're not able to approach the data that they're being fed inquisitively, ask questions from their own experience and give maybe unique and different direction. And that's where we have a governance breakdown, more often than not, on corporate boards. Now, it doesn't mean the CISO is not doing a great job. What it means is that the board doesn't know whether the CISO is doing a great job or not.
Dave Bittner: So what's the solution, then? Ideally, where do - how do we handle this?
Caleb Barlow: It's really simple, right? I think we've got to do a couple of things. One, at - you know, if you're a CEO at a public company, you need to be bringing your CISO into more board meetings than you do. And look; people like to keep those conversations tight to a limited audience. But the fact of the matter is that CISO's got to start to learn the language of the board - how that conversation occurs, what the expectations are, what board members want to see. And the only way that's going to occur is by being in the room. What that also means is the CISO's got to start to listen to those conversations and leverage every opportunity they get to sit on boards. And then, you know, as board chairmans, you've got to kind of put aside the past demographics of who you typically have on your board and start reaching out and bringing in CISOs from other companies, from other industries, from law enforcement, et cetera, onto your boards and expecting them to have a integral interaction in those board conversations.
Dave Bittner: Yeah. All right. Well, Caleb Barlow, thanks for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
Dave Bittner: One final note - we will be taking a break from our regularly published programs from Christmas Eve to New Year's Day. But not to worry - we still have an exciting lineup of great CyberWire Pro content that you won't want to miss. So stay tuned. And happy holidays, everyone.