Dave Bittner: [00:00:03] Question - when does military exercise become hybrid warfare? Answer - when it affects civilian safety, like with GPS jamming. Russian banks are sustaining a major and well-crafted phishing campaign. An unprotected server exposes SMS messages. China tightens laws enabling censorship and social control. It also helps Venezuela to do likewise. FireEye's Christopher Porter joins us to discuss security in the aviation sector. And did the U.S. indict Julian Assange, or is it just a cut-and-paste error?
Dave Bittner: [00:00:45] A few words from our sponsor Cylance. They're the people who protect our own endpoints here at the CyberWire, and you might consider seeing what Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes. But guess what? The bad guys know all about it, too. It will stop the skids. But to keep the savvier hoods' hands off your endpoints, Cylance thinks you need something better. They've just introduced Version 2.3 of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank Cylance for sponsoring our show. Major funding for the CyberWire podcast is provided by Cylance.
Dave Bittner: [00:01:52] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, November 16, 2018. Russian GPS jamming denied by Russia but asserted by Norway and its NATO allies during a NATO military exercise continues to raise questions about flight safety. More has emerged about the GPS denial last week. The Atlantic Council has a good account. Norway's Ministry of Defense said the jamming began on October 16 and lasted through the end of exercise Trident Juncture on November 7. The ministry says the source of the jamming was localized to Russia's Kola Peninsula, which abuts northeastern Finland and Norway.
Dave Bittner: [00:02:35] Russia's Foreign Ministry has denied there was any GPS jamming and says this is just another instance of Russia being blamed for wildly implausible misconduct, but essentially nobody in Western military or governmental circles buys this. Probably no one in Moscow and certainly not in Murmansk up there on the Kola Peninsula buys it either.
Dave Bittner: [00:02:57] NATO's Secretary General Stoltenberg confirmed the GPS disruption earlier this week, saying it was something NATO took very seriously. Russia has long paid close attention to electronic warfare, and it has repeatedly demonstrated effective capabilities both in combat, notably in Syria but also in Ukraine, and in major exercises. Its evident willingness to use a NATO exercise as its own exercise in electronic or cyberwarfare is instructive. GPS denial is different from interference with a tactical FM network. It has indiscriminate consequences for civilian life. As some NATO observers put it, since GPS denial affects the safety of flight, navigation, emergency services and other civilian activities, this sort of jamming begins to shade off from testing and training and into hybrid warfare. Finnish authorities continue their investigation.
Dave Bittner: [00:03:56] We note in passing that while simple jamming is bad enough, meaconing GPS signals to send false geolocation data would be even worse, and that's a line better left uncrossed. So, OK, you might be saying. The Russians seem to get a lot of stick around here, and so they do for good reason. But it's therefore all the more important to remind ourselves from time to time that Russian individuals and institutions are also the victims of cyberattack and especially of cybercrime. One such case has surfaced at week's end.
Dave Bittner: [00:04:29] Bleeping Computer reports that Russian banks are under a major phishing attack by Silence, a criminal group thought to have roots in legitimate InfoSec work where they gained familiarity with financial systems. The phishing emails represent themselves as originating with the Central Bank of Russia. They arrive, as phishing emails usually do, with a malicious attachment. In this case, the body of the message tells the recipient that the attachment contains details on a new standard format for Central Bank of Russia electronic communications.
Dave Bittner: [00:05:02] Group-IB, a Russian firm that operates internationally and has done some respectable work, says that the emails are well-crafted and convincingly present themselves as genuine communication from the Central Bank. A rival gang, MoneyTaker, is also currently active in phishing Russian banks. Group-IB regards Silence and MoneyTaker as particularly dangerous because of their familiarity with Russian banking communications and security measures. The more familiar one is with the target, the better the social engineering one can bring to bear.
Dave Bittner: [00:05:37] TechCrunch reports that a researcher in Germany found a server belonging to San Diego-based communications firm Voxox that exposed millions of SMS messages. The server was unprotected - no passwords. And once it turned up in a Shodan search, it was easy to inspect the contents. Voxox took the server off line when TechCrunch told them they had a problem.
Dave Bittner: [00:06:02] Chinese authorities are pushing for vendors, both foreign and domestic, to bring their offerings into line with state-mandated censorship requirements. The Wall Street Journal reports, among other things, China will want a great deal of user data from online companies. The country's Cyberspace Administration is concerned to regulate activity on platforms where people can express opinions and platforms that have the ability to mobilize society.
Dave Bittner: [00:06:29] Effective November 30, companies that provide online services must maintain extensive records on their users, including real names, times users log in and log off, network source addresses and hardware used. Companies are expected to report suspicious events within 30 working days. A surge in users would count, as would spreading illegal or harmful information.
Dave Bittner: [00:06:54] China's not alone in such ambitions. Indeed, some of its pupils may have surpassed the master. The formerly prosperous but now failed state of Venezuela has taken a page from Beijing's book on content control and has enlisted ZTE to show it the way according to a long Reuters report. Venezuela's studies began under the late President Chavez, who in 2008 sent a delegation to study Chinese methods of establishing a national identity system. The result of that study was Venezuela's fatherland card, which is now the leading edge of a system of social control that identifies, tracks and, as necessary, represses citizens. ZTE is said to be embedded within many segments of Venezuela's system.
Dave Bittner: [00:07:41] In the West, social networks are working on content moderation at the behest of both governments - especially in Europe - and interest groups. Facebook is working hard to come up with an approach to speech governments wish to see curtailed. The social network casts its efforts as an enforcement of community standards which represent an expansion of effective moves against inauthentic accounts, bots, frauds and trolls into more ambitious moderation of content itself.
Dave Bittner: [00:08:11] And finally, remember Julian Assange? The U.S. Justice Department does. According to multiple sources, including The Washington Post and Ars Technica, it seems that Justice inadvertently revealed, through a cut-and-paste error, that it's indicted the WikiLeaks founder. The indictment, if any, appears to be under seal. But Mr. Assange's name and what appear to be passages that describe him turned up out of place in a completely unrelated indictment. What, if anything, Mr. Assange is being charged with remains unclear. If the most famous resident of Ecuador's London Embassy ever emerges, however, a lot of people will want to have a word with him.
Dave Bittner: [00:08:57] And now a bit about our sponsors at VMware. Their trust network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open-platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on a comprehensive approach to security across the digital workspace will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security, thecyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:09:57] And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco. Craig, it's great to have you back. You know, we've been seeing more and more coverage of these sextortion scams. And I know this is an area that you guys have - have looked at. What's your take on this?
Craig Williams: [00:10:15] Well, in our most recent look at this, it basically turned out that these are not only frequent and complex but that people are reliably paying, which I think is what surprised us the most. You know, we were tracking I think it was 58,000 wallets. You know, 80 of them had paid. And I do want to be clear; they're not 1 to 1. If you go look at the post, we actually do have some charts about wallet reuse. But, you know, at a really high level, that's a couple of percentage points of people paying, which I think, for these type of scams, is surprisingly high.
Dave Bittner: [00:10:49] Now, are you seeing - are you tracking any evolution in the tactics here?
Craig Williams: [00:10:53] Yeah. So when we initially started looking at this, I think the most common scam was, I hacked your computer and watched you on your webcam, right? And that seems to be one that's been going around for a while. And they're adding some complexity to it now. They're providing things like passwords from data breaches to, like, prove that they hacked your computer.
Craig Williams: [00:11:12] And so that's all little tactics designed to basically manipulate the user into paying. You know, I mean, when you look at this at a high level, they're trying to get an emotional response, right, that emotional shame response so the user doesn't really think it through, right, and they don't really think, is this really viable, did I use this password everywhere for the last 10 years? And instead, they want them to panic and just pay and not really think about it.
Dave Bittner: [00:11:35] Yeah. It's interesting, too. I mean, I think it plays on that sort of unspoken side of the internet, where certainly, they're pressing a button where, obviously, you know, lots of people out there are consuming content that they wouldn't want to be out there publicly known about. And so that really opens up this vulnerability.
Craig Williams: [00:11:53] Right. And I think the dollar amount, too, is pretty telling. I mean, you know, some of these amounts are actually really high. I mean, there are some that were a thousand dollars or more. You know, I think when it comes to these type of scams, they're really trying to find those people who don't think. You know, and I guess you could argue that that's true for a lot of email-based, you know, attacks.
Dave Bittner: [00:12:12] Right.
Craig Williams: [00:12:12] But, you know, I think the combination of this one, combining it with the passwords that have been leaked, it's pretty creative. I mean, this is, from a spam standpoint, this is a fairly sophisticated attack.
Dave Bittner: [00:12:23] Yeah. It's interesting, too, because you know, one of the things that we talk about is that when you question yourself with these sort of things, it's great to ask a friend. The very process of saying something out loud, you know, can lead to you realizing that there is a scam here. But when you're dealing with this kind of content, well, who are you going to tell, right?
Craig Williams: [00:12:43] (Laughter) Yeah. It's true. It's true. You know, I've had people reach out - I think most of us have, privately - and say, hey, this is fake, right? And it's (laughter)...
Dave Bittner: [00:12:51] Right.
Craig Williams: [00:12:51] ...It's one of those...
Dave Bittner: [00:12:52] Yes.
Craig Williams: [00:12:52] ...It's one of the scenarios where you're just kind of like, man, I never want to look at the gallery in your phone, do I?
Dave Bittner: [00:12:58] Right. Right. So I mean, is this a matter of getting the word out to people that this is fake, rather than a purely technical solution?
Craig Williams: [00:13:07] I think so. I mean, you know, these type of scams are never going to go away. Right? It's just limited to the attackers' creativity. Here we've seen them combine, you know, some real-world, factual data with basically a shaming fantasy to trick the user into paying. There's not really a good technical way to solve this because the reality is, it's just an email. Right? And so I think this is just a user education problem.
Dave Bittner: [00:13:29] Yeah. All right. Well, Craig Williams, thanks for joining us.
Dave Bittner: [00:13:36] And now a few words about our sponsor, our friends in the technology news world, Techmeme. You probably know Techmeme from their curated online comprehensive view of all the day's tech news, and now they also produce the "Techmeme Ride Home" podcast. If you like the CyberWire and you're looking for even more technology news, "Techmeme Ride Home" is the podcast for you. We're fans, and we think you'll like it, too. It's 15 to 20 minutes long and hosted by veteran podcaster Brian McCullough. You may know Brian from the "Internet History Podcast." The "Ride Home" distills Techmeme's content into, well, the kind of things you'd like to listen to on the ride home - headlines, context and conversation about the world of tech. It posts every weekday afternoon around 5 p.m., great for afternoon drive time in the U.S. Be sure to search your favorite podcast app for "Ride Home" and subscribe today. That's the "Techmeme Ride Home" podcast. And we thank the "Techmeme Ride Home" podcast for sponsoring our show.
Dave Bittner: [00:14:42] My guest today is Christopher Porter. He's chief intelligence strategist at FireEye and senior fellow at the Atlantic Council. He recently testified before Congress on the cybersecurity threats to the aviation sector. He joins us to share his views on why that particular vertical makes an attractive target.
Christopher Porter: [00:15:01] I think the key thing to know about the aviation sector is that it's probably the most targeted sector of at least the U.S. economy that we see at FireEye. So to give you some perspective, we track 38 advanced persistent threat groups, APT groups. Twenty-seven of those we know somewhat regularly target aviation. So nearly three-quarters target aviation if you include manufacturers, airports, airlines. And that's not even counting, obviously, criminal targeting, which is pervasive.
Christopher Porter: [00:15:34] So it's a sector of the economy that's routinely targeted. And obviously, in certain parts of the sector, you've got people's lives on the line. Commercial air travel, for example. So there's always a lot of concern about the potential for cyber-espionage to turn into a cyberattack not just on availability of systems but on people, as well.
Dave Bittner: [00:15:57] Yeah. Let's dig into that some because I think, obviously, you know, we could jump to the worst-case scenario of airplanes falling out of the sky, which obviously we haven't seen. But when you say that aviation is a target, what sorts of things are they going after?
Christopher Porter: [00:16:10] Overwhelmingly, it's targeting either the business data - so for airlines, for example, that could be traveler records. You know, criminals would target that, as well as nation state espionage groups would have an interest in getting traveler records. It could be trying to get a foothold for direct criminal purposes. So can I steal credit card numbers? Can I ransomware a system that maybe doesn't put people's lives at risk but is necessary for airline operation?
Christopher Porter: [00:16:39] And of course, we do have some examples of airports being targeted for political purposes, mostly in Asia and Europe - you know, messing with the display screens at baggage or in the terminals, displaying political messages. In the U.S., I think you - and to some degree, in Europe and Japan as well - you have a lot of targeting of the big manufacturers and research development, both at universities and at private companies. You know, theft of intellectual property is probably the biggest economic danger overall.
Dave Bittner: [00:17:10] And how is the aviation sector in terms of preparation for this? How are they responding? Are they standing up to the task?
Christopher Porter: [00:17:18] It really depends. You know, the aviation sector, again, is so broad. You know, that obviously includes cleared defense contractors - you know, the big prime contractors in the U.S. and Europe. They've got very robust security programs naturally. But if you think about airports, for example, an airport could be owned by a local metropolitan authority. It could be owned by the state. It could be a mix of, you know, private ownership of parts of the terminal. And so you've got a lot of different stakeholders. And oftentimes, everyone assumes that everyone else involved is responsible for security. You know, we see that a lot where there's not necessarily one standard that everyone's meeting. And it's a cost center that gets pushed off to other people who are involved in the process.
Christopher Porter: [00:18:01] Additionally, if you're a commercial airline or, you know, an airport, you've got a lot of partners that are plugging in. You've got retailers, restaurants, you know, third-party ticket sellers. So there's a huge threat surface. And all of this is happening in an environment that is both - you have to think about protecting people's lives. Making sure air travel is safe is the top priority. And you've also got to do it in a way that's very timely and convenient. So often, security is sort of the last area of investment.
Christopher Porter: [00:18:30] And in my experience, the - it just varies greatly from airline to airline and airport to airport. Some are doing a very good job. Others, you know, have a lot of sort of commodity malware or minor nuisance issues. And it's not necessarily just because of the competence of the people there or the investments they make. Often they have very good security teams. It's just a very big security challenge.
Dave Bittner: [00:18:53] You recently testified before Congress on this topic. What specifically was their interest? What direction are they coming at this from?
Christopher Porter: [00:19:02] Yeah. It was a great discussion with the House Homeland Security committee. Chairman Ratcliffe and others were very interested in, I would say, both the routine targeting for economic purposes, especially theft of intellectual property - they're very concerned about that because aviation is, you know, by some estimates, America's biggest export sector. So, you know, it obviously could be very detrimental to the U.S. economy. They're concerned about intellectual property theft. But a lot of questions did focus on the ability to disable airplanes or to pose a lethal threat. That's obviously more their remit and focus, and it was a primary focus of a lot of the questions that we got.
Christopher Porter: [00:19:40] I do think it is important to keep in mind that cyberespionage does provide a front into these networks that could be used to disable operations. But the only thing we've seen actually happen so far has been disrupting the ability of airlines, for example, to coordinate flight plans. You know, pilots sometimes get flight plans distributed on their iPads or something like that. Those kind of systems are not going to hurt traveler safety. They just won't take off if there's a problem. But you could absolutely disrupt an airline's operations for a short, you know, period of time by going after those systems, and we have seen that. So the Homeland Security committee was concerned about everything from economic threats but especially focused on the potential for lethal threats.
Christopher Porter: [00:20:25] Sometimes we get questions about China's involvement in intellectual property theft, and wasn't there an agreement to sort of stop that? On the one hand, I do think Beijing has mostly lived up to their commitments to not steal intellectual property directly through cyber means. They use cyber means to maybe help target it in other elements of national power. But direct cybertheft, you know, we did see that drop off very significantly.
Christopher Porter: [00:20:51] Aviation, unfortunately, because it's so closely related to military capabilities, that is not an area where we've seen a drop off. So that's sort of good news, bad news. Most American businesses face less direct risk of cybertheft of intellectual property, but certain sectors of the economy face a much greater risk because there's just as many hackers and fewer targets. Aviation would fall into that bucket as well. We've seen no drop off or even, in some ways, a more intense focus on intellectual property theft to the aviation sector. Good news for many of your listeners, but it's more risk than ever if you're working in aviation.
Dave Bittner: [00:21:30] That's Christopher Porter from FireEye.
Dave Bittner: [00:21:37] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor. We actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [00:21:58] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at vmware.com.
Dave Bittner: [00:22:04] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe. And I'm Dave Bittner. Thanks for listening.