The CyberWire Daily Podcast 3.28.18
Ep 565 | 3.28.18

Tensions over Salisbury nerve agent attack remain high. BranchScope raises concerns about side-channel attacks. Facebook data scandal updates. Atlanta and Baltimore recover from hacks.

Transcript

Dave Bittner: [00:00:03:05] Tensions continue to rise between Russia and other, mostly Western, countries as the number of nations taking diplomatic measures to protest the Salisbury attack exceeds 25. Western governments are on alert for Russian cyber operations as well as diplomatic reprisals. A new bug called BranchScope, is found affecting Intel processors. The Facebook data scandal continues. Atlanta and Baltimore recover from hacks of municipal systems. And don't be fooled by bogus job offers.

Dave Bittner: [00:00:39:20] Time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real time threat intelligence company, whose patented technology continuously analyses the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely, because that's what you want, actionable intelligence.

Dave Bittner: [00:01:17:23] So sign up for the Cyber Daily email where every day, you'll receive the top trending indicators Recorded Future's captures crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/intel, to subscribe for free threat intelligence updates That's recordedfuture.com/intel and we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:57:17] Major funding for the CyberWire podcast is provided by Cylance, from the CyberWire Studios at Data Tribe, I'm Dave Bittner, with your CyberWire summary for Wednesday, March 28th, 2018.

Dave Bittner: [00:02:10:08] The tally of countries taking diplomatic action against Russia for what US Defense Secretary Mattis aptly called "attempted murder" in Salisbury has now risen above 25. The US expulsion of 60 diplomats accredited to Russia's Washington embassy and United Nations delegation is the largest ever such expulsion ordered by an American administration. Nothing in the Cold War, for example, came close. A number of observers have pooh-pooed showing diplomats the door as an ineffectual response that doesn't really hit President Putin and his regime where it hurts. They recommend harder financial sanctions, for example, like suspending Russian banks' access to the SWIFT international funds transfer system.

Dave Bittner: [00:02:55:14] While it's doubtless true that oligarchs care a lot about their net worth and its liquidity, the degree of odium and isolation Russia is experiencing can't be comfortable, especially during a time when domestic outrage is rising over Sunday's disastrous fire that destroyed a shopping mall in the Siberian city of Kemerovo, killing at least 64 people, 41 one of them children. The high death toll is attributed to official negligence and corruption (disabled alarms, locked exits, and so forth) and there have been protests in Russia. Another downside is the striking degree of intelligence sharing that's taken place in the West over the Salisbury attack. The Times of Israel is particularly struck by what it calls an "unprecedented" degree of openness on the part of British intelligence. Such collaboration isn't good news for Russia. For its part, Russia's Foreign Ministry has denounced the diplomatic reprisals as "senseless" and "boorish," and promised that Russia will itself take some action in response. What that action will be is expected to include as a minimum, Russia's own declaration of foreign diplomatic personnel persona non grata.

Dave Bittner: [00:04:05:12] More worrisome is the prospect of offensive Russian cyber operations. For weeks officials and security experts in a number of countries, but notably in the UK and the US, have warned of the vulnerability of electrical power grids to cyberattack, and of Russian preparations to conduct such an attack. When such exchanges in cyberspace might become an act of war remains unclear, but it's unsettling to say the least that this question is now being widely asked.

Dave Bittner: [00:04:33:08] There are all sorts of elicit products and services for sale on the deep and dark web, Liv Rowley is an intelligence analyst at Flashpoint and she recently authored a research report, titled Refund Fraud and Fake Receipts Proliferate on the Deep and Dark Web. She joins us to share her findings.

Liv Rowley: [00:04:52:01] Probably about a year ago, we started hearing from some industry partners, that they were really being impacted by refund fraud, which is just when somebody orders something online typically and then they pretend that there's an issue with the shipment of the product, in order to get a refund of the product. So they get the actual product in the mail and then they get that refund as well. So we started looking into it and we were seeing it all over, you know, a handful of communities in the deep and dark web, where people were actually selling their ability to con customer service representatives, in order to get these refunds.

Dave Bittner: [00:05:28:15] What exactly did you discover and how does this work?

Liv Rowley: [00:05:32:18] So what we discovered is, while there are definitely people doing this on their own, just to defraud companies and get their own pair of sneakers, we found that there's a handful of, we're calling them refund fraud vendors, they actually offer their abilities to secure these fraudulent refunds for their clients. So, if you would be interested in using one of these refund fraud vendors, you might buy a laptop online and then, after you get the delivery of the laptop, you'll go to any of these vendors and say, "Hey, I got this laptop, but I don't want to pay for it, I want a refund." And you pretty much hand over all the details of that shipment; when you bought it, with the name on the account to this vendor. And then the vendor calls up their customer service, makes up whatever excuse they feel will get the job done and then the client of that elicit vendor gets a refund, a full refund and they pay a small percentage, normally about ten percent to the person who helped them get that refund. So it's a super interesting scam, because people are essentially contracting out social engineering.

Dave Bittner: [00:06:44:05] So on the retailer side, are people just taking advantage of retailers wanting to provide good customer service?

Liv Rowley: [00:06:50:21] That's what a lot of it is, absolutely. A lot of times, these retailers will even push back, cyber criminals will talk about how, you know, the retailer will say, that's not our problem, that might be a problem with the shipping company and they will keep pushing, keep pushing, keep pushing until they do eventually get these refunds.

Dave Bittner: [00:07:07:23] Interesting. It strikes me too that in an age of where I get a text message, when UPS delivers something from Amazon, there's a paper trail on these things, an electronic paper trail, that would strike me that that would make this sort of thing more difficult. But your research seems to show that they can still do it.

Liv Rowley: [00:07:30:07] There are a variety of excuses that these fraudsters are employing when talking to customer services representatives, but a lot of it is just them very convincingly lying to these people, who are giving them refunds. We'll even see, some of them will say even if you signed for the package, I can get you a refund, which to me, is absolutely remarkable.

Dave Bittner: [00:07:51:05] And is there any sign that the retailers are getting wise to this and pushing back?

Liv Rowley: [00:07:57:00] They're definitely aware of it and different retailers have been employing different counter measures, signing is a big one, a lot of people won't be so bold as to ask for a refund, even when they've signed for it. But also, we've seen some retailers have rolled out weighing packages throughout transit. Sometimes what these fraudsters will say is that they got their package, but there was just nothing in it, or maybe they got two of the four items that they ordered and that's the excuse that they'll use to get a refund. So, when you are weighing this package at each step, you can say, well, there's no way that that box was empty, because we weighed it and there's a weight to it and it aligns with the product. So there are different things that are being done, to try to combat this type of fraud.

Liv Rowley: [00:08:41:15] The last interesting thing that I would have to say about this, is the fact that you also have people sharing evidence of either the products that they were able to acquire or an email stating that they did get a refund and they're sharing this information openly. So that's one of the reasons that we can be pretty sure that this fraud is indeed happening and that these vendors of these fraudulent refund services are actually doing what they say they're doing. Because people take a screenshot of an email that they got, saying, "We're sorry about your package, here's an $800 refund." And they'll post that on these deep and dark web forums, to help boost the credibility of the vendor. So that's very interesting to actually see that evidence that this is happening.

Dave Bittner: [00:09:27:21] That's Liv Rowley from Flashpoint, you can read the complete report, Refund Fraud and Fake Receipts Proliferate on the Deep and Dark Web on the Flashpoint website, it's in the blog section.

Dave Bittner: [00:09:39:08] University researchers have found a new vulnerability affecting Intel chips. This one, called "BranchScope," involves a susceptibility to side-channel attacks. Intel has been working on the issue and thinks the bug probably amounts to no big deal.

Dave Bittner: [00:09:55:13] In industry news, Thales continues to move forward with its plan to acquire all of Gemalto's stock, and Gemalto's board is commending the deal to shareholders. The period during which Gemalto shareholders can take Thales up on its offer run from today through June 6th.

Dave Bittner: [00:10:13:07] Canadian advertising and software development firm AggregateIQ has denied connections with Cambridge Analytica as well as involvement in the ongoing data scandal. But code found by UpGuard in an exposed AggregateIQ database suggests there may be some connection. In the code was a string, "Ripon," which is the name of a Cambridge Analytica platform, and also the username "SCL" (the name of Cambridge Analytica's corporate parent). The findings are small and circumstantial, but also interesting in the light of Cambridge Analytica whistleblower Christopher Wylie's testimony in the UK, that AggregateIQ was involved in US campaign operations.

Dave Bittner: [00:10:55:13] For its part Facebook is putting its money where its mouth is with respect to its take that the data scandal is essentially an app scandal, and a third-party app scandal at that. It's offering researchers bug bounties for finding and reporting apps that collect and misuse data. Details on the bounty program will be made available as Facebook firms them up over the coming weeks. The expanded bug bounty is only one element of the company's damage control. To review, Facebook initially responded by pausing all third-party application reviews on its platform until it could apply changes to app permissions that would impede future episodes of data misuse. The company also said that it would have its engineers manually review any app that requested access to a user's friends list. As a minimum that review would determine whether the app was actually using the data within itself (as opposed to just scraping it up for other purposes). The company also intends to look into apps that could access data before Facebook's 2014 changes to the platform that were intended to reduce such access. Facebook also intends to sunset apps. If you've installed an app and haven't used it for three months, Facebook will turn off that app's access to data. Any app developers found to abuse data will no longer be welcomed by Facebook. And, of course, the company says it intends to notify users affected by data abuse. Such moves of reform and repentance have their limits, however. CEO Mark Zuckerberg has declined Westminster's request that he come to London and testify before a Parliamentary inquiry into fake news. Members of Parliament affect shock at his demurral.

Dave Bittner: [00:12:38:13] Two large US cities have been affected by hackers over the past two weeks. Atlanta is just now beginning to recover from the SamSam ransomware infestation that induced the city to take many of its employees and services offline last week. Advice against paying ransom still holds, but Atlanta's experience shows that recovery can be far from painless. Atlanta's brought in a lot of help. A partial list includes Secureworks, the FBI, the US Department of Homeland Security (including the Secret Service) and response teams from Microsoft and Cisco. The other city is Baltimore, whose 911 dispatch system was hacked Sunday morning. The city's emergency responders switched to manual operation until the computers were brought back online by 2:00 Monday morning. The mayor says it's back to normal now. .

Dave Bittner: [00:13:30:01] Finally, an interesting scam has been reported in which criminals have impersonated executives and even board members from the large US Federal contractor CSRA to hoodwink applicants for jobs into handing over information better kept to themselves, like credentials and other personal data. The approach starts with an email from a Gmail account, and then an interview in which the scammer uses the name of a real executive. They often follow up by sending the victim what looks like a check, the better to harvest financial information. CSRA isn't the only company whose good name is being abused and we note that this involves no compromise on CSRA's part. The company, and most of its peers, post "How We Hire" notes on its corporate website. Do consult them before you respond to a Gmail contact from anyone claiming to be a hiring manager. Sure you want the job, but slow down and be safe.

Dave Bittner: [00:14:29:17] And now a word from our sponsor, LookingGlass Cyber Solutions, an open letter from the malicious botnet on your network.

Male Voiceover: [00:14:39:19] So, here we are, it's just you and me at this Godforsaken hour, you're looking right at me too, I'm on the second monitor to the left. Had you seen me, you would have realized I compromised computers in your organization and they work for me now. Even if you had spotted me, your current process is too slow to catch me. You update your network rule sets once a week, I'll be on Cabo by then, working on my tan. I love getting to know your company by the way, your financial data, personal records. I've got a piece of unsolicited advice for you, check out what LookingGlass Cyber Solutions is doing. They've got some kickbutt technology that fends off cyber threats like me, data breaches, ransomware and stolen credentials, in real time. Be a hero, with the LookingGlass Scout Shield Threat Intelligence Gateway. See the video at LookingGlassCyber.com.

Dave Bittner: [00:15:46:18] And I'm pleased to welcome back to the show, Dr Charles Clancy, he's the director of the Hume Center for National Security and Technology at Virginia Tech. Dr Clancy, welcome back.

Dr. Charles Clancy: [00:15:55:14] Great to be here.

Dave Bittner: [00:15:56:02] So an interesting topic you want to discuss today, some analogue security of cyber physical systems, what do we need to know about this?

Dr. Charles Clancy: [00:16:04:11] So, a cyber physical system is any sort of system that involves both a cyber component and a physical component, as the name might imply. So you could think of a home automation system, or a connected vehicle for example, as an example of a cyber physical system. And one of the interesting properties of a cyber physical system is that they have sensors, that measure the environment around them, the readings from that sensor goes to some sort of control logic, that then makes decisions and from there, takes action. So you think of a self-driving car, for example, it has cameras and radars and other sensors that it uses to then make decisions. Those decisions then impact things like steering and acceleration. So it's this interesting convergence of the cyber world and the physical world and it has a unique set of cyber security challenges.

Dave Bittner: [00:16:54:12] And so take us through, what are some of those challenges?

Dr. Charles Clancy: [00:16:57:06] Well, first is that oftentimes, these sensors can be spoofed, there's been some interesting research coming out of the University of Michigan for the last few years, showing that attackers can, for example, send acoustic waves, or high energy RF signals, that will inductively couple into some of these circuits and cause false readings. And if false measurement data gets processed by these control algorithms, the wrong decisions get made and that can potentially be a major safety problem. Another example of some interesting research that's going on here at Virginia Tech by one of my colleagues, Dr. Ryan Curtis, is actually looking at the actuators, so the things that change, motors and servos, things of that nature. So he has a paper coming up in the next couple of weeks, at a major security conference, that shows that you can use a magnetic wave to cause a motor to turn in a controllable way. So for example, he can actually take control of a UAV, by using these magnetic waves, to directly control the motors, which is really interesting, because there's really no cyber defense against that. Because it's not anything that affects any of the digital control logic in the system.

Dave Bittner: [00:18:12:16] So it's just a matter of having systems in place, to recognize these anomalies when they happen?

Dr. Charles Clancy: [00:18:18:06] Definitely, so that's one of the key counter measures, most of these systems are designed to be resilient in the face of some sort of failure, or fault, or noise, but none of them anticipate that there is a malicious element that's causing these particular failure modes. So, the research agenda that we have at Virginia Tech is looking at how you can begin to build the cyber physical control systems and have them presume the presence of a malicious actor, as part of the decision making logic.

Dave Bittner: [00:18:50:01] Interesting work. Dr Charles Clancy, welcome back and thanks for joining us.

Dr. Charles Clancy: [00:18:53:10] Thanks a lot.

Dave Bittner: [00:18:58:12] And that's the CyberWire, thanks to all of our sponsors for making the Cyberwire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, through the use of artificial intelligence, visit Cylance.com.

Dave Bittner: [00:19:12:04] And thanks to our supporting Sponsor, E8 Security, follow the behavior, find the threat. Visit E8Security.com to learn more.

Dave Bittner: [00:19:21:00] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media, with Editor John Petrik, Social Media Editor Jennifer Eiben, Technical Editor Chris Russell, Executive Editor, Peter Kilpe and I'm Dave Bittner, thanks for listening.