China criticizes Twitter and Facebook. Silence expands internationally. A popular Ruby library was backdoored.
Tamika Smith: [00:00:03] China says Twitter and Facebook are restricting its freedom of speech. The Silence criminal gang has expanded internationally. Google, Mozilla and Apple are blocking the Kazakh government's root certificate. A popular Ruby library was backdoored after a developer's account was hacked. And scammers buy ads to place their phone numbers at the top of search results.
Dave Bittner: [00:00:33] It's time to take a moment to tell you about our sponsor Recorded Future. If you haven't already done so, take a look at Recorded Future's Cyber Daily. We look at it. The CyberWire staff subscribes and consults it daily. The web is rich with indicators and warnings, but it's nearly impossible to collect them by eyeballing the internet yourself, no matter how many analysts you might have on staff. And we're betting that however many you have, you haven't got enough. Recorded Future does the hard work for you by automatically collecting and organizing the entire web, identify new vulnerabilities and emerging threat indicators. Sign up for the Cyber Daily email to get the top trending technical indicators crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses and much more. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:39] Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Tamika Smith: [00:02:06] From the CyberWire studios at DataTribe, I'm Tamika Smith sitting in for Dave Bittner with your CyberWire summary for Wednesday, August 21, 2019. Beijing has come out with a forthright defense of freedom of speech - sort of. After Twitter and Facebook on Monday took down accounts they determined were conducting information operations against the ongoing protests in Hong Kong, and after Twitter changed its advertising policy to no longer accept paid advertising from state-controlled media, China's government protested the companies' actions. The country's Foreign Ministry spokesman said the victims here were not the intelligence services of the Chinese government, but rather expatriate Chinese who were expressing their patriotic outrage over the discreditable misbehavior of people in Hong Kong. And it's not just those patriotic expatriates. China's government says that it also has a, quote, "right to tell its story." With a chutzpah that almost inspires a kind of admiration, Chinese authorities are said to have pointed out the fact that both Twitter and Facebook are blocked in China as evidence of spontaneous patriotism in the Chinese diaspora.
Tamika Smith: [00:03:18] Singapore-headquartered security firm Group-IB has published a follow-up report on Silence, the Russian-speaking criminal gang they've tracked for the last three years. Silence initially displayed poor OPSEC and was confined to a limited range of mostly Russian targets. However, the group has now improved its security game and has expanded internationally to more than 30 countries. Their customary infection technique is phishing, beginning with a reconnaissance phase that sends bogus email delivery failure notices. Once they've compromised a bank's network, the attackers move laterally until they've compromised the system used to control ATMs and card processing systems. Finally, they'll have local money mules visit the compromised ATMs and withdraw large quantities of cash. The group has stolen more than $4 million between June 2016 and June 2019.
Tamika Smith: [00:04:14] Group-IB also noted similarities between the Silence downloader and FlawedAmmyy, a remote access Trojan used by TA505. The researchers say the code overlap suggests that the same developer is behind both pieces of malware, although they maintain that the two criminal groups are acting separately.
Tamika Smith: [00:04:34] According to Motherboard, Google, Mozilla and Apple said on Wednesday that their browsers would block a root certificate issued by the Kazakhstan government to surveil citizens' internet traffic. Kazakhstan's attempt to force its citizens to download the certificate was apparently canceled earlier this month, with the government characterizing the move as a test. But Mozilla told Engadget in a statement, quote, "while the government's test has apparently ended, the mechanisms it can use to spy on web traffic are still in place, and some users may still have this malicious certificate installed. We aren't waiting for the vulnerability to be exploited again in order to fix it," end quote.
Tamika Smith: [00:05:16] As data privacy and rights take center stage in many countries, feelings around protecting data is reemerging as another point for conversation. A new online survey by Palo Alto Networks and YouGov delves into how people feel about protecting their information - to sum it up in one word, confused. Here to talk more about these findings is Rick Howard. He's a chief security officer at Palo Alto Networks. Hi, Rick. Thanks for helping us shed some light on this topic.
Rick Howard: [00:05:43] Thanks, Tamika. I'm glad to be here.
Tamika Smith: [00:05:45] All right, so let's pull back the layer when you say confused. To be clear, you surveyed people from several countries. So let's start with the U.S. What are Americans feeling when it comes to being safe online?
Rick Howard: [00:05:58] Yeah, it's a great question. And we were interested in something very specific here, right? With all of the advanced attacks these days conducted by criminals and hacktivists and commercial and nation-state spies, you know, what seems to be a continuous low-level cyber conflict between nation-states, how are the victims of these attacks, the humans, coping? Are they receiving the training they need to be successful in this endeavor? That's - that was a reason we commissioned this survey. For the Americas - right? - 62% of Americans feel they should be responsible for the security of their own personal information, but only 24% admitted to having a rudimentary security process in place to help them.
Tamika Smith: [00:06:39] Well, not only did you break it down that way, you also looked at other categories, right? For me, willingness to learn is the one that actually stood out. Can you talk a little bit more about the practicality of that being the foundation?
Rick Howard: [00:06:52] Yeah, I think that's really interesting that the normal employee or user of the systems want to learn how to be better at this. Right? But I'm going tell you I'm kind of a - I'm a naysayer here. All right?
Tamika Smith: [00:07:03] OK.
Rick Howard: [00:07:04] The survey data confirms to me a notion that has been changing in the network defender community over the last couple of years, you know? In the old days - OK? - it was common for people to accuse the user of being the problem. You know? I am sure I have said public things like, you can't fix stupid and if you could just get rid of the weakest link, the user, we wouldn't have any security problem.
Rick Howard: [00:07:27] As I've gotten more mature - OK? - in this field - OK? - it occurs to me that, you know, blaming the user for not being technical enough to see adversaries like OilRig and Emissary Panda and Reaper attacking their laptops, you know, that all just belongs in the pile of cybersecurity elitist BS. OK? It just does. Right? I have problems spotting malicious links in email, and I've been doing this stuff for over 20 years. But the community has been expecting the grandmas of the world to know enough to spot these advance attacks. In hindsight, you know, that's just laughable.
Rick Howard: [00:08:03] And the tech community has not made it easy for the general purpose internet user to navigate these obstacles either. You know, the tools we have for security are advanced, and they worked fairly well. But they're not designed for Grandma to use. You know, they're designed for cybersecurity professionals. This problem is on us, the network defender community, for not protecting Grandma from the attacks in the first place.
Tamika Smith: [00:08:27] OK. So staying on that point, then what should the professionals be doing in order to protect someone like Grandma?
Rick Howard: [00:08:33] Well, I - they should be doing the things they know they should be doing. But you know, it's typical for us to - if a bad guy is successful, to blame the victim for doing something stupid. And I just don't think that's viable anymore. Like I said, we can help Grandma be more secure in her personal life. Right? But really, if the bad guys get through, it's on the security community, not the user.
Tamika Smith: [00:08:54] OK. So when we're talking about the security community, we're talking about not only about professionals - humans - but also AI. And you also did a study that looks at other countries. So let's look at other countries, including Brazil and Canada. You polled them and - about their feelings toward online security and it being handled by AI or humans. So who do they prefer?
Rick Howard: [00:09:19] I really like the Europeans' answer to this. Right? The Canadians and the Brazilians are pretty standard. But the Europeans - 26% of them said they would prefer to have automation handle their security protection. Right? And what's really interesting about that is we have reached the stage now in the cybersecurity community where machine-learning techniques are really useful in the cybersecurity domain. And the reason it is is it's become possible for organizations to storage large amounts of data, mostly in the cloud somewhere. And you really can't do machine-learning algorithms unless you have piles and piles of data. I'm talking about petabytes of data. And these machine-learning algorithms work specifically well in very specific cases in the security domain, like, for example, finding malicious files.
Tamika Smith: [00:10:14] When you talk about comfortability and trust - you know, in cybersecurity, it's relative to the user - right? - whether you prefer AI because it's communicating to technology in a way a human can't and can secure systems more effectively or the feeling that a human would have more empathy. Can you talk a little bit about that idea of trust?
Rick Howard: [00:10:34] Yeah. And I think that community's slowly coming around to this. Right? You know, 10, 15 years ago, we relied on humans to react to the attacks coming against our organizations. But what we've noticed in the last 10 years is the, you know, bad guys have automated their own attacks. All right? And so if you're going to use humans to respond to that, you are always going to behind - be behind. My - I had an old boss of mine that says, you know, we're bringing humans to a software fight, which we will lose every single time. We have to get comfortable, as a community, trusting the automation that we have in place to handle those incidents in order to stop them.
Tamika Smith: [00:11:15] It's about bringing the right gun to the gunfight, basically.
Rick Howard: [00:11:18] Yeah, that's right. At least we got to bring software to the software fight. OK?
Tamika Smith: [00:11:23] OK. So that's Rick Howard. He's the chief security officer at Palo Alto. You can find him tweeting @raceBannon99.
Tamika Smith: [00:11:33] New versions of a popular Ruby library rest-client were found to contain malicious code that allowed an attacker to collect sensitive information and run additional code on clients' machines. The code was inserted last week after a hacker compromised a RubyGems account belonging to a rest-client developer. According to ZDNet, the hacker used the account to push four backdoored updates to the library, which were downloaded around 1,200. The attacker's goal seems to have been cryptocurrency mining. The malicious versions of rest-client have since been removed from RubyGems.
Tamika Smith: [00:12:09] A quick note about the CyberWire's 6th Annual Women in Cyber Security Reception - we'll be at the International Spy Museum's new facility at L'Enfant Plaza in Washington, D.C., on October 24. It's a networking reception that highlights and celebrates the value and successes of women in the cybersecurity industry. The event brings together leaders from the private sector, academia and government from across the region and women at varying points in their careers. It's not a marketing event; it's just about creating connections. If you're interested in getting an invitation to this year's event, go to thecyberwire.com/wcs. A very limited number of sponsorship opportunities remain, so please let us know if you're interested in one of those, too.
Tamika Smith: [00:12:55] And finally, scammers are gaming search engine results to display their own phone numbers at the top of search results. The searches they're gaming are for customer support lines belonging to well-known brands. Since paid ads appear up near the top of search results, people looking for a phone number can be fooled into choosing the wrong result. Voice assistants have proven particularly vulnerable to this form of deception since they automatically choose which number to call and provide no visual frame of reference for the user. Paying for the ad seems to make economic sense for the criminals since they get a solid return on their marketing investment. And in this case, the scammer's not calling you. You're calling the scammer.
Dave Bittner: [00:13:45] And now a word from our sponsor KnowBe4, the experts in a new-school approach to manage the ongoing problem of social engineering. The scary fact is that human error is a contributing factor in more than 90% of breaches. With so many technical controls in place, hackers are still getting through to your end users, making them your last line of defense. KnowBe4 has an on-demand webinar featuring Roger Grimes, KnowBe4's data-driven defense evangelist. He'll take you through the cyber kill chain to show you how a single email slip-up can lead to the total takeover of your network. And he'll share actionable strategies you can put in place now to greatly reduce your risk. Go to knowbe4.com/cyberkillchain and watch the free webinar. That's knowbe4.com/cyberkillchain. And our thanks to KnowBe4 for sponsoring our show.
Dave Bittner: [00:14:49] And I'm pleased to be joined once again by Daniel Prince. He's a senior lecturer in cybersecurity at Lancaster University. Daniel, it's always great to have you back. I know something that you all have been tracking at Lancaster is sort of the changing nature of nation-state cybercrime and how that plays into the global economy. What can you share with us today?
Daniel Prince: [00:15:10] Thanks for having me back on. So this is an area of real interest for me, so I'm really interested in the large-scale, systematic risks that come from cybersecurity in this global digital environment in which we operate. And, you know, the trend really is for increasing connectivity, hyper-connectivity of everything from the financial services sector all the way through to things like industrial control systems, physical process control. And that's changing, really, the nature in which criminals operate but also changing the way in which nation-states are operating. And we've seen a real rise in what's been variously termed as hybrid war, ambiguous war, gray-zone conflict, where the nation-states are actually able to operate within the uncertain boundaries of a globalized hyper-connected environment. And so we see things like the bank of Bangladesh heist, which has been - it was an attack against the central bank and reportedly conducted by a nation-state in order to fund internal activities within that nation-state, particularly around their military program. Now, there are various conversations around that about how true or not that is. But that kind of concept that now a nation-state is performing what would've traditionally been seen as a criminal act in order to fund nation-state activities is quite an interesting and emergent of global politics within a digital environment.
Dave Bittner: [00:16:42] It's interesting the possibilities that it opens up because, you know, you imagine a nation sending in, you know, a group of folks under the cover of darkness to pull off a bank heist in the physical world. Well, this is a different thing. It's just different plausible deniability, I suppose.
Daniel Prince: [00:16:58] Well, and that - this is where the ambiguous nature comes in. It's - as we all know, it can be very hard to attribute actions to individual groups, individuals or even nation-states. And it's that ambiguity that drives the uncertainty within the political dimension that we're seeing. And also, it's the lack of physicality, as you rightly point out. If I was going to rob a whole load of gold - steal a whole load of gold from somewhere, there's only so much that I can steal. There's only so much I can put in a van for a given size of van and a given number of people. And there's only so many places I could take it to, and there's only so fast I can travel. So that physical nature of stealing physical, rare items, physical commodities is very different to the digital environment. And it's not just about theft. It's about the knock-on, cascading impacts of that - and so understanding those and how the act of that theft may have real far-reaching implications that we're not necessarily aware of that become systemic risk issues in the future.
Dave Bittner: [00:18:00] It also strikes me that there's a reticence from leaders of nation-states, perhaps acting in their own self-interest, to draw lines in the sand, to say that we're not going to do these sorts of things. They've left a lot of that fuzzy and, as you say, ambiguous.
Daniel Prince: [00:18:16] Well, we've seen, certainly recently, nation-states coming out and actually exercising some of that cyber power, that cyber influence and actually directly attacking as part of a political influence process. And that again has real-world kind of implications on politics. And one of the concerns is really around that global infrastructure. You know, particularly in the West, we have this kind of very liberal view of the internet as something that is open and connected. But we're starting to see as that becomes much - that infrastructure becomes much more critical to nation-state economy, nation-state prosperity and civilian lives that the nation-state governments are starting to go, well, how do we control this much more? The interesting point here is that most nation-state governments are really interested in borders and boundaries and how they control the flow across that. There certainly - the big concern that I have is the kind of the Balkanization of the internet, the breaking-up so that, actually, the perimeters of the internet for the prosperity of the nation start to be much more policed, as we've seen in some other nation-states.
Dave Bittner: [00:19:25] All right. Well, Daniel Prince, thanks for joining us.
Tamika Smith: [00:19:32] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Tamika Smith: [00:19:45] For links to all the stories mentioned in today's podcast, check out our Daily News Brief at thecyberwire.com. The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Dave Bittner, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Tamika Smith. Thanks for listening. We'll see you tomorrow.