The CyberWire Daily Podcast 10.31.18
Ep 716 | 10.31.18

Influence operations, and advice on recognizing them. Ransomware updates. US indicts Chinese nationals for industrial espionage. An object lesson from the US Geological Survey.

Transcript

Dave Bittner: [00:00:03] Influence operations in social media and why Americans are more vulnerable than Eastern Europeans; rules of thumb for recognizing the good, the bad and the bogus online; Kraken Cryptor is a black-market leading ransomware strain. SamSam remains active. The U.S. indicts Chinese industrial spies, and what not to look at on your government laptop.

Dave Bittner: [00:00:33] Now a moment to tell you about our sponsor ObserveIT. It's 2018. Traditional data-loss prevention tools aren't cutting it anymore. They're too difficult to deploy, too time-consuming to maintain and too heavy on the endpoint. They are high maintenance and require endless fine-tuning. It's time to take a more modern approach. With ObserveIT, you can detect insider threats, investigate incidents quickly and prevent data loss. With its lightweight agent and out-of-the-box insider threat library, ObserveIT is quick to deploy and far more effective at stopping data from leaving your organization. That's because ObserveIT focuses on user behavior. It's built to detect and respond to insider threats. And it's extremely difficult, even for the most technical users, to bypass. Bring your data-loss prevention strategy into the modern era with ObserveIT. Learn more at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.

Dave Bittner: [00:01:41] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, October 31, 2018. Influence operations of various kinds continue to romp through social media as social networking platforms grapple under election-driven security with the inherent difficulty of content moderation and various other alternative forms of rumor control. Bitdefender and other security companies have been tracking information operations serving up fake news and other forms of propaganda. The focus is, naturally enough, on next week's U.S. midterm elections. But influence campaigns have been active in Brazil, the U.K. and elsewhere. People remain fairly easy marks for stuff served up in the social media groups, which seem to constitute a kind of untrustworthy circle of trust for users. WhatsApp groups, in particular, are being mentioned in dispatches as fonts of misinformation. The messaging platform is especially popular in Brazil, as BuzzFeed notes. And that country's recent elections have spawned a great deal of politically crafted misinformation. Because WhatsApp is both encrypted and structured as a peer-to-peer network, it's difficult to track which memes are going viral, but such monitoring as has been possible suggests that the platform is just as rife with fantasy, misdirection and misinformation as its Facebook parent.

Dave Bittner: [00:03:06] Americans, too, are apparently suckers for Russian trolling. The Daily Beast has swatted through Twitter's recent dump of Internet Research Agency tweets. The Internet Research Agency is, of course, the bear (ph) sisters' big troll farm in St. Petersburg. The Daily Beast concluded that the Americans tend to lap this stuff up. The Internet Research Agency's English-language service, if we may call it, is assessed by The Daily Beast as being nine times more effective than its offerings in Slavic and Baltic languages. This is measured by the engagement the English language tweets attract over here in the land of the free. And frankly, it's embarrassing. In fairness to those of us who live in the home of the brave, people who lived in the old Soviet Union or the former Warsaw Pact still have long, sad living experience with state propaganda of the Russian variety. They expect it, and they've developed a kind of skeptical herd immunity that's lacking in North America.

Dave Bittner: [00:04:06] Security firm Proofpoint is offering a quick five-point guide to critical consumption of online news, a short course in skepticism. First, they say always look for a source. If there's no source offered, that's a bad sign. So is an urgent request for you to take action. Second, look for bots, and block them. There are various tools available to spot some bots, at least. But as a quick screen, be suspicious of a low number of Facebook friends, recently created accounts, very few posts, no profile picture and a disproportionately high following-to-follower ratio. Third, take a look on Facebook at the info and ads. This may contain some information on who exactly is behind an ad you're seeing. Fourth, don't - don't click on Twitter DM or Facebook Messenger links. And fifth, use your quality Twitter filter, which you'll find in the setting and privacy section. You can use this to mute notifications from accounts that exhibit some of the characteristics of untrustworthy tweeters.

Dave Bittner: [00:05:09] Are these infallible? By no means. Assessing whether content is true and whether a source is trustworthy is a problem epistemologists have wrestled with since before Plato wrote the "Charmides." If it had been an easy solution, it would put a lot of journalists, lawyers, polygraph specialists and philosophy faculties out of business. But they do provide a certain useful approach to filtering messages. And if they strike you as reminiscent of advice on social engineering, that's no accident. Influence operations are, after all, just social engineering.

Dave Bittner: [00:05:45] Consumer Reports is well-known for their comparative testing of popular household devices, everything from vacuum cleaners to hair dryers or microwave ovens. These days, they're testing digital electronic devices as well. Maria Rerecich is director of electronics testing at Consumer Reports.

Maria Rerecich: [00:06:03] One of the things that we're working quite a lot on is trying to understand how we should incorporate the smartness or the connectedness of these products, and what should we - what attributes should we test of these products? So we're very good at being able to test, you know, what temperatures are in the refrigerator and how well does a lawnmower cut, but what should we look at? How should we determine about the connectedness? But we also have this other layer, of course, of data privacy and security. And that is something we're looking - working very hard on - how we evaluate that in a way that we can put it into our ratings because when we do testing, we do comparative testing. So we're not testing to a standard. We test to our own test protocols that are always consistent. And they're defined so that across a product category, we test the products the same way. But we do things very deliberately. And we want to make sure we have a good test before we roll it into ratings.

Dave Bittner: [00:07:04] Now, one of the projects that you're working on is called the digital standard.

Maria Rerecich: [00:07:09] Yes.

Dave Bittner: [00:07:09] Can you describe to us - what is that about? And what are you hoping to accomplish here?

Maria Rerecich: [00:07:09] Yeah. So what the digital standard is is a list of criteria that we've put together to say, what should a product that is good - you know, what is goodness in this connected world? And what should this product have in the areas of data privacy and security to work well and to be good for the consumer and good for the person who's getting this product? So we wanted to define what principles needed to be there. And we basically had four themes. There's security, privacy, governance and ownership. So security is about, how safe or resistant to attack is the product from hackers? That would include topics related to encryption and security updates. Is it private? We can have privacy. It deals with permissions and data sharing and consumer control of their data. Can the consumers actually control what data is collected? And what happens to it after it's collected by these devices?

Maria Rerecich: [00:08:12] Governance is whether the company's policies are good for the consumer. How well do the policies protect consumers' privacy and data and things of that nature? And then ownership is the fourth theme in the digital standard. That handles concepts such as the right to repair or permanence of functionality. So those are the themes of the digital standard. Then each of those themes have multiple criteria. So the criteria specify what a test should look for. We decided that rather than expressing those criteria from a very technical standpoint, we wanted to anchor them on consumer expectation. So technical criteria for an environment or the room might be the temperature should be between 68 and 72 degrees Fahrenheit. It has such and such humidity. We measure with sensors placed in locations.

Maria Rerecich: [00:09:01] But we wanted to make these statements of criteria consumer-friendly. So in this example, the consumer expectation might be the room should be comfortable. So in the digital standard, that expectation might be, I should be able to know what data - what type of data this product is collecting about me. We start that way because we want to make sure - we want to try to have these concepts of privacy and security make sense to people and make them understand why they should, A - care, and why they should, B - perhaps select products based on how they handle the data privacy and security. We actually have it at thedigitalstandard.org. The the is important in that URL.

Dave Bittner: [00:09:44] (Laughter).

Maria Rerecich: [00:09:44] And we have links in it to a GitHub. And we solicit any kind of feedback into the GitHub. We look at that to try to improve what we're working on there. We also encourage people and other organizations to use it and to test things with it and to exercise it and make improvements in that way. We, Consumer Reports, will use it and are using it for our testing. But we may not use the entire set. It's something like over 40 criteria. It's a very - it's meant to be a very large umbrella of things that are good in a digital connected product world.

Dave Bittner: [00:10:20] That's Maria Rerecich from Consumer Reports.

Dave Bittner: [00:10:25] Security companies Recorded Future and McAfee have released their studies of Kraken Cryptor with particular attention devoted to how the ransomware is distributed through a black-market affiliate scheme. The ransomware, which was first spotted this August, operates by using email to interact with its victims as opposed to deploying a noisy and readily taken down command and control infrastructure. It's hired out by its masters to criminal clients. The crooks keep about 80 percent of their take with the other 20 percent going to the group whose front man or marketing director uses the nom du hack ThisWasKraken. They distribute the ransomware with, for the most part, the Fallout exploit kit.

Dave Bittner: [00:11:06] Kraken Cryptor uses an online casino, BitcoinPenguin, to launder the ransom payments they receive. Those payments are delivered in the form of - wait for it - Bitcoin. From looking at the countries excluded from attack by Kraken Cryptor, Recorded Future concludes that the gang operates from Iran, Brazil or former Soviet republics or perhaps from some combination of these. Another strain of ransomware, SamSam, which crippled Atlanta earlier this year, is being tracked by security firm Symantec, which concludes that SamSam is being used mostly against U.S. targets. The central lesson of ransomware protection remains that an enterprise should regularly and securely back up its files.

Dave Bittner: [00:11:52] The U.S. Department of Justice yesterday released an unsealed grand jury indictment of 10 Chinese nationals, at least two of them serving intelligence officers, charging them with industrial espionage against at least 13 U.S. companies in the aerospace sector. The activities revealed in the indictment, WIRED observes, shows the Ministry of State Security's adherence to classic forms of agent recruiting and handling. This proceeds by spotting potential agents, assessing their value, developing them by accustoming the recruit to performing small, trivial, apparently innocent favors for the recruiter, then recruiting them and finally, handling them as they deliver information and receive whatever compensation the intelligence service has seen fit to provide.

Dave Bittner: [00:12:39] Finally, the U.S. Geological Survey's inspector general found the source of a major malware infestation that propagated across the Interior Department agency. An employee used his government device to surf through some 9,000 pages of adult content. One could see maybe a slip-up here or there, perhaps a baker's dozen of moments of weakness. But 9,000 - wow, that's a lot. Oh, and those adult sites were - again, wait for it - mostly Russian. Surprised.

Dave Bittner: [00:13:14] Yeah, we weren't, either.

Dave Bittner: [00:13:20] It's time to tell you about our sponsor, ManTech. The cyber threat is growing, but so is the cyber talent gap. By 2019, ISACA predicts a 2 million global shortage of skilled professionals to meet demands. ManTech has the answer. They've been designing, building and staffing Department of Defense cyber ranges for more than 10 years. With ManTech's Advanced Cyber Range Environment, or ACRE, organizations of any size can develop their own core of cyber professionals. ACRE uses more than a dozen proprietary tools, techniques and processes to emulate any network environment, regardless of size or complexity. Train, evaluate tools, conduct security architecture testing and undergo live-fire exercises on an exact replica of your own network environment, and do it with instructors who understand both offensive and defensive cyber. ManTech helps you think like your adversary and outmaneuver them. This is Advantage ManTech (ph). See how ManTech can work to your advantage. Go to mantech.com/cyber today. That's mantech.com/cyber. And we thank ManTech for sponsoring our show.

Dave Bittner: [00:14:40] And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, this year, we have seen a parade of vulnerabilities revealed about processors, hardware issues. Take us through why now, and what does it mean for us?

David Dufour: [00:14:59] Well, I think, initially, it was kind of a new area that no one had looked at because you're right, we have seen a parade, starting out with the Intel-based problems earlier this year with Spectre and Meltdown. And then it's kind of moved - people have started looking at other chips, you know, AMD, things like that. And I think the basic reason we're seeing it is someone found an area to start exploring. And a bunch of folks with knowledge in those fields started saying, well, heck, I know about these kind of chips. Let me see what's going on with the ones I work with. And so there's just been a lot of digging in that area now. And it's kind of taken on a life of its own.

Dave Bittner: [00:15:37] So where does that leave us, though? I mean, are we going to see these speculative processing capabilities dialed back as new hardware is released?

David Dufour: [00:15:46] I think that's a great question. I think you're going to see the manufacturers spend some serious effort in tightening this up. It's akin to Windows in the '90s and early 2000s, where the important thing was making things interoperable. But then, all of a sudden, everybody realized, oh, my gosh, that made it insecure. I think you saw a lot of that in the hardware side because there wasn't a lot of hardware hacking going on and things of that nature. But I think they'll spend a lot of time and energy now and re-evaluate what they're doing. I firmly believe you won't see a regression in what the chips can do and how they interoperate at that lower level. You'll just see improvements of the security built into them.

David Dufour: [00:16:31] So let's just say though, Dave, you're sitting around your house wondering, is this something I need to worry about? And, you know, there's a couple of reverse engineers I have here at the office. And we like to sit around, and when some new type of threat comes out, we noodle on, hey, how can we make some money with this threat if we were out in the wild and we weren't afraid of going to prison? And so what we do is kind of ideate on some business models nefarious actors would take.

David Dufour: [00:16:59] And we got to say, on this chip thing, it is important that if you're a large enterprise or you're, you know, maybe even a government entity or a contractor for a government entity, you want to probably be paying attention to this because if nation states or large - other large, you know, competitive actors may have an interest in you, this is something they may want to do to get into your environment. But I got to tell you, David, it's really hard stuff. This isn't like downloading some malware, taking advantage of a flash exploit, and boom, I own your machine. It's a little bit more work than that, and by a little, I mean considerably. And so for your listeners, you know, my home computer, I'm not too worried about it. But for those, you know, the percentage of your folks who do have to support large enterprises, they might want to just take the time to inventory what they've got in-house and maybe what steps they should take to prevent or block these types of threats from exposing themselves.

Dave Bittner: [00:17:59] Now, the cloud providers, they've been on top of this thing in terms of applying the patches and so forth, right?

David Dufour: [00:18:06] That is true. When it first came out, everybody was kind of worried. Well, if I'm a, you know, if I'm hosting something in the cloud, can I get to the operating system through my, you know, my hypervisor and get to the chip? And there was concerns around that. But they have been on top of it. And I say that not because Amazon or Google or Microsoft call me up and are like, Dave, we're on top of this, I'm more saying it from the perspective of we haven't seen any big outbreak. So I don't really think they took this seriously because they did say they were, and we haven't seen any major issues around it.

Dave Bittner: [00:18:42] All right. Well, obviously, it'll be interesting to see what comes the rest of the year and moving forward. David Dufour, thanks for joining us.

David Dufour: [00:18:50] Hey, great being here, David.

Dave Bittner: [00:18:55] And that's the CyberWire. For links to all the stories mentioned in today's podcast, check out our daily news brief at thecyberwire.com.

Dave Bittner: [00:19:03] Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire. And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.

Dave Bittner: [00:19:30] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.