Infrastructure hacking. No Russo-American agreement in cyberspace. Android malware infestations. Misspelling as OPSEC
Dave Bittner: [00:00:00:15] I want to thank our latest Patreon supporters. If you haven't checked it out yet please do so. It's at Patreon.com/thecyberwire. Thanks.
Dave Bittner: [00:00:11:07] No, Russia and America won't be linking up in a cyber alliance. And no, no-one at the G20 meetings actually bought the line about election hacking retailed there by President Putin and Foreign Minister Lavrov. NotPetya recovery continues. US power plants are warned to be alert for cyberattack. There are more Android infestations in the wild. Criminals compromise self-service food kiosks; others phish with official-looking Australian emails as bait. ISIS adopts misspelling as a form of OPSEC.
Dave Bittner: [00:00:46:14] Time for a message from our sponsor, Recorded Future. You've probably heard of Recorded Future, they're the real-time threat intelligence company. Their patented technology continuously analyses the entire web, to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best informed decisions possible for your organization. Sign up for the Cyber Daily email, and every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today, and stay ahead of the cyberattacks. Go to recordedfuture.com/intel, to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid, and the price is right, and we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:50:21] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner in Baltimore, with your CyberWire summary for Monday, July 10th, 2017.
Dave Bittner: [00:02:00:24] Those notes of Russo-American cooperation on cybersecurity briefly tweeted this weekend from the G20 meetings had a short but colorful life, every bit as truncated as a 140 character text.
Dave Bittner: [00:02:14:09] President Trump suggested that his discussions with President Putin might well result in the formation of some joint US-Russian unit to fight cybercrime, but these were quickly qualified as aspirational diplomatic hopes for an indefinitely distant future. The tweets in question came under immediate and very harsh Republican criticism, so this thaw in the cyber cold war between the two countries lasted a few apparent hours only.
Dave Bittner: [00:02:40:09] US officials were quick to dispute President Putin's and Foreign Minister Lavrov's contention that everyone at the G20 meetings, the US included, had accepted Russia's protestations that it's been entirely innocent of election hacking and related influence operations. That's not the case. President Trump later said that he'd told President Putin to cut it out during their long meeting. Secretary of State Tillerson called the two countries’ disagreement over the issue "intractable," and US Ambassador to the UN, Haley, said that, "of course" everyone knows the Russians were trying to meddle with elections.
Dave Bittner: [00:03:16:06] So put any thoughts of close cooperation for cybersecurity into the nice idea, isn't going to happen category. Whatever Foreign Minister Lavrov might say, the US continues to hold Russia responsible for hacking and influence operations during 2016's elections.
Dave Bittner: [00:03:32:08] In addition to lingering concern about election hacking, US-Russian relations in cyberspace are particularly frayed by two recent incidents.
Dave Bittner: [00:03:41:12] The first is the extent and expense of NotPetya infestations. By consensus, NotPetya is regarded as having begun as an attack on Ukrainian infrastructure, particularly financial services but also power distribution and other targets. As recovery proceeds, observers give authorities in the US and Europe generally high marks for their response, but warn it might be harder next time. And the costs exacted by NotPetya remain unknown, but it's thought they'll be high.
Dave Bittner: [00:04:12:00] The NotPetya attack is generally believed to have been mounted by the Russian government: that's the official position of the government of Ukraine. While they're certainly not disinterested parties, given the ongoing hybrid war with Russia, a large number of outside observers tend to agree with Ukraine's government. FireEye has commented that signs do point to Russia, although they add the customary caution that all can generally be hoped for in attribution is high confidence.
Dave Bittner: [00:04:39:15] The preliminary attribution of NotPetya to Russian threat actors, believed to be responsible for attacks on Ukraine's power grid, gives added point to the FBI and DHS warnings about attempts to penetrate US electrical power utilities. These appear to have been probes that reached into business networks but not operating systems. Authorities and utilities say there's no immediate danger to either public safety or power distribution, but the involvement of at least one nuclear plant (Wolf Creek, in Kansas) has spooked the media. The warnings were raised by the FBI and the Department of Homeland Security; the Department of Energy is providing security assistance to threatened operators.
Dave Bittner: [00:05:20:14] We heard from Paul Edon of Tripwire about the security challenges this sort of incident poses. He said, "With most industrial control systems now connected to the Internet, they have become vulnerable to targeted cyber attacks and cyber espionage campaigns. However, because the systems were not designed with security in mind, they are largely unequipped to deal with these attacks." He strongly recommends that organizations review not only frameworks, like the NIST Guide to Industrial Control Systems Security, but especially their own response and resiliency plans.
Dave Bittner: [00:05:53:02] Andrea Carcano of Nozomi said that, "The US has to assume that all parts of critical infrastructure are being probed for vulnerabilities 24 by seven from a risk management point of view." The increased connection of formerly separated infrastructure elements should, Carcano thinks, lead enterprises to take a serious look at real-time anomaly detection and machine learning. Nozomi's Edgard Capdevielle pointed out the persistence of phishing as a favored tactic in gaining access to networks and systems. He said, "Targeting engineers with phishing messages is pretty straightforward and, if successful, could be extremely damaging." The days in which one could be confident that air-gapping offered protection are long gone.
Dave Bittner: [00:06:38:24] CopyCat and SpyDealer malware are infesting the Android ecosystem, which it describes as an unusually capable data stealer, thought to be able, in principle, to root one out of every four Android devices. It's affecting mostly Android phone users in China. The good news on SpyDealer is that it never seems to have made it into Google's Play Store, being distributed instead packaged within third-party apps called GoogleService or GoogleUpdate. And there's more good news on this one, too: Google Play Protect is said to be able to detect and remove infections.
Dave Bittner: [00:07:14:22] The other malware, CopyCat, is a lingering ad fraud vehicle that Google has also mitigated with recent updates. But, according to Check Point, users in Southeast Asia who haven't updated their phones remain vulnerable.
Dave Bittner: [00:07:27:10] Several cybercrime campaigns are being reported. In Australia, email in-boxes are being flooded with phishing notes that spoof communications from the Australian Securities and Investments Commission. Businesses are being told their name is due for renewal and are directed to a link where that name can be renewed. Needless to say, the link is malicious. Whether the intent is compromise, destruction, or data theft is so far unclear.
Dave Bittner: [00:07:54:11] Avanti Markets, owner of food vending kiosks, disclosed that hackers might have compromised not only customer paycard accounts, but even some of the physical biometrics associated with those accounts. Plixer's Michael Patterson said that vulnerable vending machines are nothing new, but the criminals' current focus on stealing personally identifiable information is, relatively speaking, a novelty.
Dave Bittner: [00:08:18:08] In standards news, the World Wide Web Consortium, W3C, announced it will promote the Encrypted Media Extensions, EME, as the standard for digital streaming. This decision is controversial: opponents say concerns about consumer protection weren't considered.
Dave Bittner: [00:08:36:10] Finally, it seems that ISIS is turning to a new OPSEC tool - creative misspelling. Security firm Cyberint has noted the appearance of words like "jahood" for "jihad." The intent appears to be evasion of automated intelligence collection. The civilized world may reasonably hope that such primitive codes will be readily broken.
Dave Bittner: [00:09:03:22] I'd like to take a moment to tell you about an important upcoming webinar from our sponsor, ThreatConnect, called Exploiting the Adversary: How to Be Proactive with Threat Intelligence. You know that understanding your adversary is essential to effective cybersecurity. To block threat actors now and in the future, you must know where they've been before, their techniques, tactics and procedures. You also need to know if they're targeting your specific organization. A deep understanding of your adversary enables you to take steps to proactively protect your environment from breaches, and this will be the focus of this webinar.
Dave Bittner: [00:09:37:23] It's all happening this Wednesday, July 12th, at 2pm Eastern Time. Join Kyle Ehmke, Threat Intelligence Researcher at ThreatConnect, and Araceli Gomes, Solutions Architect at CrowdStrike, to talk about proactive threat intelligence strategies, and how best to leverage threat intelligence in your own research. Sign up today at threatconnect.com/webinar. That's threatconnect.com/webinar, and we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:10:11:13] Joining me once again is Ben Yelin. He's a Senior Law and Policy Analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. We've got a couple of interesting stories here, one from the Washington Post, and one from Car and Driver, of all places, for cybersecurity. These are about privacy and these devices that law enforcement use to sort of vacuum up license plates, as they drive around in their cars. There's some interesting legal fights having to do with these devices and people's rights to privacy. Why don't we start with the one in California, which is about collecting data?
Ben Yelin: [00:10:43:24] Sure. There's a piece of legislation in California that sailed this past week in sub committee. In California it's completely legal to cover your car entirely. Let's say, you don't want your computer to get baked in the hot California sun, you could put a cover on your entire car. However, it's somewhat interesting that it is not legal in California to obscure just your license plate, and that's because law enforcement uses these license plate readers that they attach to, generally, law enforcement vehicles. They look like glorified WALL-E robots, but far less cute and friendly. Not only does law enforcement take this information and use it to catch criminals, but it's also used by private entities. It's used by debt collection agencies, it's used by for-profit private companies that can purchase some of the data from license plate readers and track your purchasing history.
Ben Yelin: [00:11:43:14] So it presents major civil liberties issues. The interesting part of the California case is that it doesn't make much sense that just your license plate is something that you're not able to cover, when it is entirely legal to cover the whole car. This committee vote in the California State Senate failed by just a single vote in the Transportation and Housing Committee, and legislators think that, once the issue is taken up again in the near future, that they might reach a different result.
Dave Bittner: [00:12:13:05] So meanwhile, in Virginia, they're talking about how long can the state keep that data that they collect?
Ben Yelin: [00:12:20:09] Right. So most states have some sort of system of laws that dictates, one way or another, how long law enforcement can keep the data collected from license plate readers. Virginia is not one of those states. They have other statutes that might apply. There's one that talks about the Government's ability to hold on to any records retrieved from law enforcement. This case originated at the District Court level; it was brought by the ACLU on behalf of an individual. The lower court held that a person does not have reasonable expectation of privacy in their license plate, and this makes intuitive sense to us. You go out with your car, anybody can take a picture of your car, a private individual, government. When we talk about the legal standard of a reasonable expectation of privacy, it makes intuitive sense that you forfeit that expectation once you put your car out on the street.
Ben Yelin: [00:13:11:13] Now, it's very interesting that the Virginia Supreme Court has decided to hear that case, because that suggests that they might see that it is a violation of the reasonable expectation of privacy. You may be consenting to somebody taking a picture of your license plate once, but are you consenting to everything that comes with license plate readings? So, you know, a mosaic of your life, your trips to your therapists office, your political and religious associations? So we're going to have tackle those issues in the context of the Fourth Amendment, and this is the first time that a case about license plate readers has gotten to this level of State Court, anywhere. So it will be very curious to see how that State Supreme Court holds, and whether the case makes it up to the US Supreme Court.
Dave Bittner: [00:13:58:03] All right, we'll keep an eye on it. Ben Yelin, as always, thanks for joining us.
Dave Bittner: [00:14:03:23] That's the CyberWire. For links to all of today's stories, along with interviews, our glossary, and more, visit thecyberwire.com. Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com.
Dave Bittner: [00:14:21:01] Thanks once again to all our supporters on Patreon. To find out how you can contribute to the CyberWire go to patreon.com/thecyberwire.
Dave Bittner: [00:14:29:16] The CyberWire podcast is produced by Pratt Street Media. Our editor is John Petrik, social media editor is Jen Eiben, and our technical editor is Chris Russell. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.