Doxing in Germany. How Lojax works. Spyware found in apps downloaded from Google Play. ISIS hijacks dormant Twitter accounts. Update on Moscow spy case. Chromecast hacking endgame.
Dave Bittner: [00:00:03] German politicians, celebrities and journalists have been doxed by parties unknown. ESET describes the workings of Lojax malware. Google ejects spyware-infested apps from the Play Store. ISIS returns online to inspire, via some hijacked dormant Twitter accounts. Updates on the arrest of a dual U.S.-U.K. citizen on spying charges in Moscow. And some PewDiePie followers sort of say they're sort of sorry for hacking Chromecasts, sort of.
Dave Bittner: [00:00:39] And now a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. As your organization continues to expand outside the data center to the cloud, branch office and device edge, your attack surface opens up to more and more risk. With major breaches announced nearly every day, security operations teams need a better way to identify vulnerabilities and hunt threats inside the perimeter. ExtraHop cuts through the noise of traditional security alerts with network traffic analysis that provides full east-west visibility, real-time threat detection from core to cloud and guided investigation workflows - all the clarity and context you need to act quickly and with confidence. Don't just take our word for it. Explore the interactive demo at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:01:43] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Friday January 4, 2019. A major story - and one that's curiously only just coming to light - is coming out of Germany. The BBC and other outlets are reporting that a very large doxxing campaign has exposed sensitive personal information belonging to hundreds of German political figures.
Dave Bittner: [00:02:07] The campaign, which began quietly before Christmas and took the form of a satirical advent calendar, with doors opened to reveal various items, released private communications, emails, contacts, phone numbers, memorandum and financial information belonging to hundreds of politicians, including Chancellor Merkel and President Steinmeier. Most of the targets were politicians. But data belonging to some celebrities and journalists were also compromised and released. Germany's Information Security Agency, the BSI, is investigating.
Dave Bittner: [00:02:42] The only political party apparently unaffected is the Alternative for Germany, generally described as far right. Observers betting on forums suspect Russia's GRU, Fancy Bear, working with the aim of discrediting politics and civil society in Germany. But that's speculation on a priori probability.
Dave Bittner: [00:03:04] Security firm Proofpoint emailed us to say that they think the operation looks a lot like a Russian APT they've been tracking. Proofpoint's threat intelligence lead Chris Dawson said, quote, "while actor attribution is notoriously difficult, early indications suggest that the Russian APT group Turla, also known as Snake, Venemous Bear, Waterburg and Uroboros, is behind the German data breaches reported earlier today.
Dave Bittner: [00:03:30] Proofpoint researchers have seen Turla targeting German interests before, particularly leveraging a G20 summit on the digital economy that took place in Hamburg in October 2017. Other activity associated with this group has been well-documented and stretched back to at least 2018," end quote. So that's an informed bet on forum.
Dave Bittner: [00:03:52] There are no official details on attribution, and Twitter has taken down the accounts used to spread links to the documents. German Justice Minister Barley called the incident a serious attack and added that the people behind this want to damage confidence in our democracy and institutions. None of the material so far seems particularly discreditable or explosive, but there is a great deal of it. And the range of the doxxing suggests that whoever was behind it worked at the caper in a long, focused effort.
Dave Bittner: [00:04:24] Speaking of Fancy Bear, researchers at security firm ESET have released details on Lojax, UEFI rootkit the GRU has been using to compromise firmware in devices it's targeted for cyber espionage. There is, ESET says, good reason to believe that Lojax can be relatively easily thwarted. Vendors are now able to patch their devices, and enabling Secure Boot on vulnerable Windows devices should also prevent Lojax from running.
Dave Bittner: [00:04:54] There's another family of malware circulating in the Play Store. Researchers at Trend Micro have discovered a mob ST spy infestation in Google Play where the spyware has been found lurking in otherwise innocent appearing Android apps. More than 100,000 users may have been infected. The malware can eavesdrop on SMS conversations and read contact lists, files and call logs. It reports the stolen data to its server, via Firebase Cloud Messaging. It can also geolocate the device it's infected. Trend Micro says the spyware was first noticed in a game called Flappy Birr Dog. They subsequently found it in several other applications as well. Google has now removed the infected apps from the Play Store.
Dave Bittner: [00:05:41] ISIS has returned to the online world, seeking to inspire mass murder, mostly by automobile, in spaces crowded with unbelief - that is public spaces where most of the people in any given crowd are likely to be infidels. Engadget and Tech Crunch report that some of the depraved inspiration has been delivered through dormant Twitter accounts ISIS hijacked. Twitter has now suspended those hijacked accounts.
Dave Bittner: [00:06:07] Bail is being sought for Paul Whelan, charged with spying by Russia's FSB. The FSB says the dual U.S.-British citizen received a USB drive containing a roster of personnel at a secret Russian institution. According to various Russian news sources, Whelan received the dongle from a Russian citizen at his hotel with FSB agents bursting in moments later to arrest him. What happened to his alleged Russian confederate isn't known. Whelan's background is unusual. He's a senior security manager at BorgWarner, which is a large company with operations in many countries. But Russia is not among them.
Dave Bittner: [00:06:46] He has visited Russia before, and he's said to have been active in the VKontakte, the Russian social network. He's an ex-Marine, a former staff sergeant who twice deployed to Iraq but who was also given a bad conduct discharge by a court martial in 2008 for what military court records characterized as attempted larceny, three specifications of dereliction of duty, making a false official statement, wrongfully using another's Social Security number and 10 specifications of making and uttering checks without having sufficient funds in his account.
Dave Bittner: [00:07:21] The court martial would seem to make him an unlikely candidate for recruitment by U.S. intelligence services. But then it would also seem to make him an unlikely candidate for a good security job at BorgWarner. Yet that's the job he has. It's an odd case. Whelan seems to be at least a bit of a Russophile. And his interest in Russian culture, which many people in many places share, may have put him in harm's way as an easy target of opportunity for Moscow's security organs.
Dave Bittner: [00:07:51] The circumstances of the arrest do indeed sound like something consistent with provocation. Most observers think Whelan's arrest is a Russian move to bargain for a spy swap with the U.S. - and indeed seems the likeliest explanation on the basis of what's known so far. For now, he's still being held, and his Russian defense attorneys say he seems to be bearing up as well as can be expected. Both the U.S. and British consulates are in touch with the Russian government over the case.
Dave Bittner: [00:08:20] And finally there's a pause in the campaign to get people to follow PewDiePie. The fans responsible, whose hacker names are HackerGiraffe and Juicer (ph), have represented themselves as white hats, honest vigilantes showing the unskilled and unaware that their Chromecasts are hijack-able by, well, hijacking those Chromecasts. Any who, no doubt after the night of unquiet sleep - possibly made even more unquiet by overindulgence in Tide PODS - HackerGiraffe awakened to the realization that he had been transformed into something that felt, quote, "burned and roasted, awaiting my maybe coming end," end quote.
Dave Bittner: [00:09:00] Mr. Giraffe has therefore now exited the social media spaces he formerly cumbered, suggesting to Motherboard that he never meant any harm and regretting that he spooked people so badly they began sending him death threats. We're with him on the death threats. Nobody should get those. But we won't miss the invitations to chicken dinner with Mr. Pie either.
Dave Bittner: [00:09:27] Now, a moment to tell you about our sponsor Attila Security. Attacks on the U.S. defense industrial base supply chain, otherwise known as DIBs, is one of the most pervasive cyberthreats facing our nation today. DIBs are vulnerable for a variety of reasons, ranging from legacy software and systems and a corporate culture that values operations over IT security. Cybercriminals exploit these weaknesses and target their attacks on DIBs in order to gain access to government networks. Attila Security is tackling this threat head-on. Attila Security's GoSilent technology features a portable security appliance that installs in minutes by any nontechnical user. GoSilent is a firewall and VPN in one and turns unsecured data transmissions into top-secret-level security communications in just minutes. Atilla Security's products and solutions enable organizations to keep data secure while avoiding disruptions to daily operations. To learn more about how Attila secures the DIB supply chain, visit atillasec.com. That's spelled A-T-T-I-L-A-S-E-C.com. And we thank Attila for sponsoring our show.
Dave Bittner: [00:10:51] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's great to have you back. Happy New Year. It is time to talk about what you are looking forward to in 2019. What can you share with us?
Justin Harvey: [00:11:05] Well, I'm looking forward to companies and organizations improving their cyber defense posture. Maybe I should be the Grinch here...
Dave Bittner: [00:11:16] Right.
Justin Harvey: [00:11:17] ...And say there will be attacks. There will be more vicious attacks. But I think that the best advice I can give to companies is to do the basics and to follow best practices wherever and whenever possible. There have been a lot of cases out in the past year where adversaries have preyed upon some of the most basic of practices. Like, business email compromise is a good example of it. Sending fake login pages to people and having them log in, that's not related to malware at all.
Justin Harvey: [00:11:53] We know that that malware is out there, and it will get worse and worse. And we know there are zero days. But it's all about what you can do today and do well. Things like having an EDR solution - so endpoint detection and response capability - not only on your servers but your workstations, your laptop, so you can do hunting and get valuable telemetry consumed within your SIM.
Justin Harvey: [00:12:19] Another basic is to pressure test your cyber defense program. Many times, people think, well, I've got an instant response point. I'm doing penetration and vulnerability testing. I'm done, right? And the answer's no. You really need to pressure test in a live-fire situation to determine if your incident response program and team is up to snuff. And you can do that through the use of red teams and adversary simulations. So that is essentially tying together multiple vulnerabilities and having humans perform those attacks to see if you're ready.
Justin Harvey: [00:12:56] Another basic that companies need to have is a diverse and unique threat intelligence partnership. So not just getting threat intelligence feeds from a bunch of providers, but pick one that has a strategic threat intelligence capability. And what I mean by strategic is being able to consume and hear about the latest threats facing their industry or geography. A lot of companies miss that. They think, well, I'm getting all of the feeds in. I get all the news when there's a zero day. I'm done, right? And the answer is there are unique attacks and adversaries that target certain industries and certain geographies, and it's very helpful to have that insight.
Justin Harvey: [00:13:39] And the last basic that I have to give to companies for 2019 is an obvious one - multifactor. You'd be surprised about how many cases over the last year that my team has run where a company hasn't had multifactor, and they've been hit by things like business email compromise. So having multifactor - not just on your administrators, not just on your users, but even sometimes, and many times, for your customers as well.
Dave Bittner: [00:14:08] You know, I think 2018, we saw - in terms of trends, we saw the rise of crypto-mining. Is there anything in particular for 2019 that you think is going to bubble up for us?
Justin Harvey: [00:14:20] Only time will tell, Dave.
Dave Bittner: [00:14:22] Yeah.
Justin Harvey: [00:14:22] I think that - you know, my personal opinion is leading up to the 2020 election, I think for organizations that have candidate-worthy data, I think that there will be more and more politically-backed cyberattacks and leaks. And what's going to be interesting is to see, based upon Julian Assange's possible extradition or possible release, if he starts to get involved again with WikiLeaks, or if there are more sites that are going to pop up that are able to dump information like that.
Dave Bittner: [00:14:58] All right, Justin Harvey, thanks for joining us.
Dave Bittner: [00:15:04] Now I'd like to share some words about our sponsor, Cylance. AI stands for artificial intelligence, of course. But nowadays, it also means all image or anthropomorphized incredibly. There's a serious reality under the hype, but it can be difficult to see through to it. As the experts at Cylance will tell you, AI isn't a self-aware Skynet ready to send in the Terminators. It's a tool that trains on data to develop useful algorithms.
Dave Bittner: [00:15:31] And like all tools, it can be used for good or evil. If you'd like to learn more about how AI is being weaponized and what you can do about it, visit threatvector.cylance.com and check out the report "Security: Using AI for Evil." That's threatvector.cylance.com. We're happy to say that their products protect our systems here at the CyberWire. And we thank Cylance for sponsoring our show.
Dave Bittner: [00:16:03] My guest today is Ken Modeste. He's director of digital health at UL - Underwriters Laboratories. For UL's Cybersecurity Assurance Program, Ken leads their efforts establishing and promoting standards that address security concerns in network-connected products and systems.
Ken Modeste: [00:16:21] We've started since 1894 in Chicago - the World's Trade Fair - so that's 120-plus years. And really, that's when you started seeing a lot of industrialization occurring in the Industrial Revolution that really started driving expansion in the globe. And so because of that, electricity was becoming fairly mainstream, and UL as an organization was working towards public safety and helping manufacturers provide safe products so that consumers can use them. And over the last hundred-plus years, that's what we've been doing.
Ken Modeste: [00:17:00] However, now in the 21st century, the way - how I look at it is, you know, safety has had a long time to build up good practices, to build up good expectations from consumers and to build up educational streams where, today, if you come out of college, you know how to build a safe product most of the times. You know what you need to do from an electronics perspective. But when you buy something today - you buy a smartphone, you buy a smart tablet, a TV - it doesn't go to your head that this thing is going to catch on fire or electrocute you. You automatically take that for granted - given.
Ken Modeste: [00:17:37] And UL has been one of the fundamental organizations that has had that happen over the last hundred-plus years. So I like to call it the adult in the room, and cybersecurity, the baby. Cybersecurity is where safety was last century - the beginning of last century. That's where it is today. And cybersecurity, when you really consider it and you look at it, now, with connectivity, cybersecurity is sort of a major part and element of safety.
Ken Modeste: [00:18:04] Today, when you think of safety, it's not only about firing - something catching on fire, it's electrocuting you - because you assume that's there. It's now about, is it secure? Is my data secure? Is my privacy secure? Can it prevent someone from coming in and maliciously trying to take control and do something nefarious remotely? And so cybersecurity is a big part of safety for this century. And UL being a public safety company has been approaching this since - from the 1990s - late 1990s to ensure that we continue to deliver the abilities and support the capabilities for safety from a public perspective.
Dave Bittner: [00:18:43] So take us through what's going on here with your efforts. You have your Cybersecurity Assurance Program. Can you describe to us what is that? And how do you interact with the folks who are in industry?
Ken Modeste: [00:18:54] Cybersecurity Assurance Program, or what we call UL CAP - yeah. We started looking at this about 6, 7 years ago. As we know, 2007 - the advent of smartphones and smart tablets really started a massive explosion of IoT. It was a trickle for the first year. Second year - now you're seeing some significant trends. And what that means is, you know, now you're going to see more and more connected products. You think of your door lock now. The door lock used to be something, you know, physical with a key. Now I have door locks with batteries in it and that are connected to the cloud.
Ken Modeste: [00:19:32] And so as we started looking at more and more of the products that are on the marketplace today, and more of them having connectivity and the IoT - that whole concept of safety that I mentioned now involving security and expanding the concept of safety. We started taking a look and saying, how do you need to move forward to provide that assurance for the consumer? And the consumer being you and I, or, you know, organizations, as they buy for stuff that they're putting into their organization.
Ken Modeste: [00:19:59] So we started that process by looking at all the best practices out there. We got together with folks from the U.S. government, from academia and some select folks that we knew. And we spent some time trying to identify, what are all the things that are out there, how they're used and the value they're providing. And one of the things we really hit on is the majority of security flaws and security incidents happen with software and products, whether it's a software product, like a mobile app or a cloud system, or whether it's, like, that smart lock that I mentioned, or a smart camera that's running software - firmware on it.
Ken Modeste: [00:20:37] And we said, if we provided requirements around how to assess and evaluate software and products, we can have it where it covers a lot of different types of IoT markets. And the reason why we wanted to have it where you can assess it is because there's a lot of standards out there that tell people how to design something. There's a lot of standards out there that tell folks how to do a secure design process in their organization, or how to assess an organization. Think of ISO 27001 has been around for quite some time. And so that's what we built around some standards - 2900 series of standards.
Ken Modeste: [00:21:16] But we also recognize that the majority of the industry wasn't mature enough to accept these standards and be able to comply with them immediately. So we have something called, you know, I like to call it the ABCs of cyber. And this typically happens in the industry. When you have new specifications coming out - you think of Bluetooth as an example, you think of Zigbee as an example, you think of some of the new IoT technologies like MQTT - you come up with a specification for a protocol or some type of thing most folks need to first get an understanding - some kind of advice on how to design and build it.
Ken Modeste: [00:21:53] Then they usually need some mechanism to benchmark. So advice is how you help them. You guide them. You do workshops. You do some training. You explain to them what's out there and what's applicable for them. You benchmark. Basically, you go out there and help them by start doing testing on what they have. Start providing them with guidance on the specification.
Ken Modeste: [00:22:16] And some folks stop there. You know, you've heard of pen testing. Some folks stop at pen testing, and they need some kind of guideline for repeatable and reproducible. And then ultimately, the C in the A, B and C advised benchmark - the C is certification, where in some industries, it helps to have a model where a third party, like UL, has gone through and evaluated the entire product or family or suites of products and certified that they comply with the standard.
Ken Modeste: [00:22:41] So the UL Cybersecurity Assurance Program overall is how we approach cyber when it comes to the safety of the 21st century. And we've built some models in there around 2900 as our set series of standards. Other series of standards - but holistically looking at how to help the manufacturers today design and build security into their own products.
Ken Modeste: [00:23:07] UL is an independent third-party organization. We've been operating for a long time, like I said, a hundred-plus years. And we're a trusted partner for both manufacturers - for both the asset owners or procurers of that - and ultimately, for the consumer, like you and I. And one of the things that I want to point out is that, you know, we believe that cybersecurity is a foundation that you have to keep building on. There is no one magic code. There is no one magic process.
Ken Modeste: [00:23:34] And UL isn't saying that everything that we do will completely solve the cybersecurity problem. What we are saying is we're presenting a possible solution as a foundation to build upon over time. And ultimately, what we want to do is exactly what happened in the last century. In the last century, safety wasn't comparable in the '60s as it was to the '20s and '30s. And industry and consumers overall have to look at driving cybersecurity trends based on what their expectations are and expecting foundational changes over time. We're not expecting a quick magic bullet.
Dave Bittner: [00:24:12] That's Ken Modeste from UL.
Dave Bittner: [00:24:19] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:24:33] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.