Google takes down YouTube influence operation. Cryptomining in a nuclear plant. Spyware in the Google Play Store.
Tamika Smith: [00:00:03] Google takes down YouTube accounts spreading disinformation. Cryptomining gear was seized at a Ukrainian nuclear plant. CISA outlines its strategic vision. Spyware makes it into the Google Play store twice. And a man gets life in prison for installing hidden cameras.
Dave Bittner: [00:00:28] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web, developing cyber intelligence that gives analysts unmatched insight into emerging threats. At the CyberWire, we subscribe to and profit from Recorded Future's Cyber Daily. As anyone in the industry will tell you, when analytical talent is as scarce as it is today, every enterprise owes it to itself to look into any technology that makes your security teams more productive and your intelligence more comprehensive and timely because that's what you want - actionable intelligence. Sign up for the Cyber Daily email, and every day, you'll receive the top trending indicators Recorded Future captures crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates. That's recordedfuture.com/cyberwire. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:01:38] Funding for this CyberWire podcast is made possible in part by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights like remediation advice to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Tamika Smith: [00:02:05] From the CyberWire studios at DataTribe, I'm Tamika Smith sitting in for Dave Bittner with your CyberWire daily podcast for Friday, August 23, 2019.
Tamika Smith: [00:02:15] Before we get started, a quick reminder about the CyberWire's 6th Annual Women in Cyber Security Reception. It will be at the International Spy Museum's new facility at L'Enfant Plaza in Washington, D.C., on October 24. It's a networking reception that highlights and celebrates the value and successes of women in the cybersecurity industry. The event brings together leaders from the private sector, academia and government from across the region and women at varying points in their careers. It's not a marketing event. It's just about creating connections. If you're interested in getting an invitation to this year's event, go to thecyberwire.com/wcs. A very limited number of sponsorship opportunities remain, so please let us know if you're interested in one of those, too.
Tamika Smith: [00:03:03] And now here's today's cybersecurity news. Google has joined Facebook and Twitter in taking down social media accounts probably operated by Chinese government sock puppets. Mountain View blogged yesterday that it closed 210 YouTube accounts it found spreading disinformation about the ongoing protests in Hong Kong. Google did not explicitly attribute the activity to the Chinese government, but it did note that the activity was similar to the campaigns flagged by Twitter and Facebook. The videos were posted in what appeared to be a coordinated manner. Google also observed behavior it associates with inauthenticity, notably the use of VPNs.
Tamika Smith: [00:03:42] The SBU, Ukraine's Security Service, has found and confiscated cryptomining gear installed at a South Ukrainian nuclear power plant. The rig the SBU took included six Radeon GPU video cards, a motherboard, power supplies and extension cords, a USB and hard drive and cooling units. They also raided offices at the National Guard unit 3044, which is located at the nuclear facility. That search turned up 16 video cards, a system unit with the inventory number of the military unit, seven hard drives, two solid state drives, a USB flash drive and a router. The Ukrainian online news service InternetUA said none of these hardware devices should've been on the premises in the first place.
Tamika Smith: [00:04:27] The Ukrainian English-language news service UNIAN observed that one of the problems at the power plant was that the computers exploited were connected to the internet. Cointelegraph, which covered the raids, noted the similarities to the case of the nuclear engineers Russian authorities arrested in February of 2018 for pulling bitcoin out of the Russian Federal Nuclear Center. The nuclear power and research sector deploys a lot of computational power, and supercomputers attract cryptojackers. An unknown number of people are under police investigation.
Tamika Smith: [00:05:00] On Thursday, the Cybersecurity and Infrastructure Security Agency published a document outlining the agency's strategic vision, and CISA director Chris Krebs summarized the strategy in a speech at Auburn University. He said his agency's overarching job is to act as the nation's risk adviser, helping public and private sector entities form strategies to defend themselves against cyberattacks. CISA will focus on five specific operational priorities. No. 1 is China, which Krebs calls, quote, "the most pressing long-term strategic risk to the United States," particularly as it relates to the supply chain. Second is election security. Third, soft target security or protecting crowded places. No. 4 is federal cybersecurity, leading the government in adapting to the speed of change. Finally, the agency will work to reduce the risk to industrial control systems.
Tamika Smith: [00:05:55] Twelve large telcos and the attorneys general of all 50 U.S. states and the District of Columbia have agreed to give consumers some relief from robocalls. The Wall Street Journal reports that AT&T, Verizon, T-Mobile, Sprint and CenturyLink are among the companies that have committed to working with the AGs to, quote, "provide customers with free call-blocking technology, investigate and trace illegal calls and confirm the identity of their commercial customers as a part of the cooperation with law enforcement," end quote. Many robocalls are not illegal per se, but an awful lot of them run afoul of fraud and consumer protection laws.
Tamika Smith: [00:06:35] ESET uncovered a spyware app in the Google Play Store. The app called Radio Balouch or RB Music, was built on the open source remote access Trojan AhMyth and doubled as a fully functioning internet radio app for Balochi music. It can send text messages from an infected phone and steal contacts and files. It also has a meaningless login page, presumably to steal reused credentials.
Tamika Smith: [00:07:00] The malicious app made it through Google's vetting process twice. ESET first reported the app to Google on July 2, and it was removed within a day. Eleven days later, the same app reappeared in the Play Store with the same branding and functionalities. Google again responded quickly after ESET brought it to their attention, but the researchers say the company should improve its vetting capabilities. They note that, quote, "as the malicious functionality in AhMyth is not hidden, protected or obfuscated, it is trivial to identify the Radio Balouch app and other derivatives as malicious," end quote.
Tamika Smith: [00:07:36] Ryan Alden, a former employee of a security company in Oklahoma, was convicted of installing what reports call a staggering number of cameras in the houses he worked on. Many of them were aimed at children's rooms, and the story is staggeringly creepy. KFOR News reports that the judge, who expressed her regret that the law did not offer mutilation as one of the sentencing options, gave Mr. Alden life in prison, which Mr. Alden admitted might be fair enough.
Dave Bittner: [00:08:10] And now a word from our sponsor, KnowBe4, the experts in a new-school approach to manage the ongoing problem of social engineering. The scary fact is that human error is a contributing factor in more than 90% of breaches. With so many technical controls in place, hackers are still getting through to your end users, making them your last line of defense. KnowBe4 has an on-demand webinar featuring Roger Grimes, KnowBe4's data-driven defense evangelist. He'll take you through the cyber kill chain to show you how a single email slip-up can lead to the total takeover of your network, and he'll share actionable strategies you can put in place now to greatly reduce your risk. Go to knowbe4.com/cyberkillchain and watch the free webinar. That's knowbe4.com/cyberkillchain. And our thanks to KnowBe4 for sponsoring our show.
Dave Bittner: [00:09:14] And I'm pleased to be joined once again by Professor Awais Rashid. He's a professor of cybersecurity at University of Bristol. Awais, it's great to have you back. We wanted to talk today about making decisions when it comes to cybersecurity, specifically based on risk. What can you share with us today?
Awais Rashid: [00:09:31] Understanding cybersecurity risks is a complicated matter because, you know, if we all had a crystal ball, then life would be simpler. And the fact of the matter is that everything we do on a daily basis - we make risk decisions. When you decide to procure that product or service, you make a risk decision. When you decide to even send an attachment with your email, you make an implicit risk decision. But also, when you're deciding at a more senior level within an organization about the budgets that you allocate to your security, you make a risk decision. And we have been looking sort of through a sort of a large piece of work at understanding as to how different demographics within organizations actually understand the risk and to what extent do they actually respond to particular types of risks in particular ways?
Dave Bittner: [00:10:22] How do people's perceptions of risks align with reality?
Awais Rashid: [00:10:26] So it's quite interesting that people often attempt to understand the risks that are sort of much more in the spotlight. So we have designed a game that is now being used quite widely across the U.K. and even internationally to educate people about cybersecurity. And as part of that, we also collect quite a lot of data. And it's quite interesting to see that people always, of course, you know, invest in the basics. So, you know, they would go for things like antiviruses and firewalls, but there is also always this tendency of an overreliance at times on technology.
Awais Rashid: [00:10:59] There is often this view that if we buy the latest security event and information management system or the latest intrusion detection system, that will solve all the problems. And, of course, risk is much more nuanced in that sense because an organization will have a lot of different security needs, and a lot of different controls would need to be put in place from, you know, security awareness raising to some of the very basic things to, also, intrusion detection systems and those kind of environments - encryption of your data and things like that. And we find that it's not always that people consider all those risks upfront.
Dave Bittner: [00:11:35] How much do regulatory requirements come into play, where people are able to, you know, approach things from a sort of a check box point of view? We've taken care of this; we've met this requirement, so we're good here, right?
Awais Rashid: [00:11:47] The word check box is really quite interesting there. So it depends how do you want to implement the regulatory requirement? And if you think about it as check box, then you can do things that will allow you to meet that check box, but does that actually improve the state of security of your organization is an entirely different matter. And my favorite example of that would be the cookie rule in the EU, where, you know, we're supposed to all know that now a website wants to place a cookie on our machine as you go and visit the website. And this was sort of a big deal that it was required. But all that has mattered is that now every website gets you to say, well, I'm going to put a cookie on your machine, and you have to click OK. And that's it. It actually makes no difference.
Dave Bittner: [00:12:28] Right.
Awais Rashid: [00:12:28] Cookies are still, you know, in use. But they are now compliant with that rule.
Dave Bittner: [00:12:32] But at least we know, right? (Laughter).
Awais Rashid: [00:12:33] Yeah. But - you know, if you ask a lot of users, they wouldn't even know what a cookie is, right?
Dave Bittner: [00:12:37] Right.
Awais Rashid: [00:12:37] So you get your compliance, but you don't actually change the state of anything in that sense. So I think regulation has a big role to play, but the key question is, does regulation lead to an active change in the approach from organizations, and how do they deal with security and the risks that come from the various types of threats that they face?
Dave Bittner: [00:13:04] Yeah, it's interesting to me because I wonder, you know, you have folks who are afraid of flying, for example, but then are perfectly fine getting in a car when, you know, we know statistically they're more likely to have some sort of an accident in the car than they are in an airplane. And are there similar misalignments with perceived risks with some of the work that you're doing?
Awais Rashid: [00:13:25] Yes. So I mean, risk perceptions, of course, do vary. And in many cases, people perceive certain risks to be more or less relevant. The most interesting thing that we have seen is that very often, actually, security experts don't necessarily do any better than nonexperts in that sense. And in some cases, nonexperts can have a much better understanding of the organizational context because of their day-to-day jobs, compared to security experts who may not always be aware of the implicit working practices that may be going on within an organization.
Awais Rashid: [00:14:00] The key message that I've taken away is that actually employees are a big resource, and if they can help understand what are the practices that go on in an organization and where the risks actually arise, we can come up with much better ways to protect organizations. But, of course, mining that information in a large organization with a large number of employees is in itself a big challenge.
Dave Bittner: [00:14:22] Professor Awais Rashid, thanks for joining us.
Dave Bittner: [00:14:29] And now a few words from our sponsor, Dragos, the leaders in industrial cybersecurity technology. Threats to electric infrastructure are progressing in both frequency and sophistication. In their latest whitepaper, they reassess the 2016 Crashoverride event and its intentions to reveal a far more complex and nuanced attack on the electric community than the Ukraine 2015 cyberattack. Learn more about Crashoverride's implications and what you can do to combat future sophisticated cyberattacks - visit dragos.com/white-papers. That's dragos.com/white-papers. And to register for a free 30-day trial of their ICS threat intelligence, visit dragos.com/worldview That's dragos.com/worldview. And we thank Dragos for sponsoring our show.
Tamika Smith: [00:15:28] And now it's our pleasure to introduce our guest, Cathy Hall from Sila, who's here to discuss privileged access management.
Cathy Hall: [00:15:35] For the longest time, security and especially privileged access management was in the purview of the infrastructure team. There was a lot of administrators that needed to elevate their access in order to maintain and operate these underlying systems that kind of are essential to the enterprise. And the old way of doing this was to grant everybody the default administrator access on these systems, so root for Unix or local administrator or domain administrator for Windows boxes, and whenever they needed to run anything with privilege, they would use these accounts. And all of the governance and all of the security and all of the oversight was was run by those same administrative teams.
Cathy Hall: [00:16:18] What we've noticed more recently is that these privileged accounts are kind of the crown jewels of the - for the attackers that are trying to get into these systems because that really gives them unfettered access within an enterprise or within the network. So now the security teams, as security within an organization has started to mature - I think I heard you talking about how CISOs are being given that seat at the table now that all the other C-suites have been granted. And they have a stronger view into these things.
Cathy Hall: [00:16:47] They're realizing that this is their biggest problem - is that while you have attackers attacking the network and attacking individual users, what they're really trying to do is get to these privileged accounts and important data or destroy systems or kind of wreak havoc. And the only way they can do that is to have these administrator accounts, these root accounts, these domain accounts. And so their main purpose is to get to those. So we want to make sure that we're providing a little more oversight, a little more governance and view to the security part of the organization to allow them to determine whether or not that access should be used in that particular instance.
Dave Bittner: [00:17:25] And so what does the modern implementation of that look like?
Cathy Hall: [00:17:29] There are a number of pillars. I think it started with the password vaults. What we see a lot of times in our, you know, personal uses - the LastPasses, the 1Passwords, our own personal password vaults - we started to implement those for administrative users, so at least we were ensuring that the passwords that they were using were incredibly strong, can be rotated at a regular cadence and that we had visibility into who was using those passwords. But as this area has matured, more and more features have come out. There's session monitoring and session isolation, where the user doesn't even see the password. They - originally, you would have to check it out or type it in. Now these PM tools can provide isolated sessions to the user once they've been authorized to do so, and then the password can then be rotated immediately, and they never see it. And the next user that needs to use that same administrative account would be using a completely separate password, and therefore it's very easy to tell who is doing what within the organization with their privileged access.
Dave Bittner: [00:18:34] I wonder, too. I mean, is there anything to this notion that there should no longer be, you know, an all-powerful admin account that's just sitting there at all times. In other words; are we in an era where all access should be provisioned as needed on the fly and that it be - that it time out, that it be temporary for a certain amount of time? Does that make any sense?
Cathy Hall: [00:18:58] Yeah, absolutely. So you're getting into an area where I think these vendors are starting to get to, which is what they call just-in-time provisioning. When the user, when the administrator needs to elevate their access, they're granted that elevation only for particular transaction for a limited period of time. These tools can then go and take those privileges away from that account after it's met its use. These are features that these tools are starting to put out there. I think there is some limited scope for what they can do for now, but it's definitely an area that people are thinking through and looking for ways to enable that type of provisioning.
Dave Bittner: [00:19:34] Where do you suppose we're headed? When you look ahead, what's the future for this?
Cathy Hall: [00:19:39] What this does is - it gives a lot more insight into activity and transactions so that we can start to move away from just even a least privilege model, which is where we give everybody all of the access they need, in perpetuity, to do their job because that's where these systems are, and we moved more to the zero-trust model and the just-in-time provisioning that you were talking about, which is, for a particular transaction, for a particular time, given all this other context that we have - so these systems right now don't have visibility into context like, is there a service ticket open, or is there a vulnerability that we can pull in from this other system? - but they're looking into that. So every privileged transaction then can be validated and verified before it's even allowed to run. I think that that is where these vendors are looking to go. I think that's where we are all trying to help our organizations think - or our client organizations think about. And I really think that that's a important feature of a PM program.
Cathy Hall: [00:20:40] It takes work to get there. It takes the ability to pull that context in. It takes a a robust privileged access management tool. It takes a robust privileged access management program run by your organization that has, of course, buy-in from your stakeholders but then buy-in from your end users and really kind of watching that market to see when these vendors start to put out more interesting capabilities, like the just-in-time provisioning, or some of these really interesting analytics tools that they're starting to put out, which allow you to determine if a user's behavior is out of the norm or out of expectation or out of their peer group and limit that access at that particular time.
Tamika Smith: [00:23:04] That's Cathy Hall from Sila.
Tamika Smith: [00:23:12] And that's the CyberWire. Thanks to all of our sponsors for making this CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com. For links to all of the stories mentioned in today's podcast, check out our Daily News Brief at the thecyberwire.com.
Tamika Smith: [00:23:33] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Dave Bittner, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Tamika Smith. Thanks for listening. We'll see you tomorrow.