Dave Bittner: [00:00:03] Spy versus spy in America, Canada and Australia, with special guest stars from the Russian and Chinese services; the U.S. Treasury Department issues more sanctions against North Korea's Reconnaissance General Bureau, better known as the Lazarus Group or Hidden Cobra. Russian election influence goes local and domestic; password manager security problems. And why does your flashlight want to know so much about you?
Dave Bittner: [00:00:34] And now, a word from our sponsor ExtraHop, the enterprise cyber analytics company delivering security from the inside out. The cloud may help development and application teams move fast, but for security teams already dealing with alert fatigue, tool sprawl and legacy workflows, cloud adoption means a lot more stress. You're building your business cloud first. It's time to build your security the same way. ExtraHop's Reveal(X) provides network detection and response for the hybrid enterprise. With complete visibility, real-time detection and guided investigation, Reveal(X) helps security teams unify threat detection and response across on-prem and cloud workloads so you can protect and scale your business. Learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible, in part, by Bugcrowd, connecting organizations with the top security researchers, pen testers and white hat hackers in the world to identify 10 times more vulnerabilities than scanners or traditional pen tests. Learn more about how their award-winning platform provides actionable insights, like remediation advice, to help fix faster while methodology-driven assessments ensure compliance needs are met at bugcrowd.com.
Dave Bittner: [00:02:00] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, September 16, 2019. The news that's broken over the weekend and into today heavily involves espionage, and so our discussions will have a great deal of spy versus spy. First, Yahoo reports that Russian intelligence services successfully compromised FBI and possibly other intelligence community communications from 2010 until 2016. U.S. counterintelligence authorities became aware of the compromise, which involved, among other things, the ability to break encrypted cellphone communications among FBI counterintelligence teams, sometime in 2012.
Dave Bittner: [00:02:44] Internal disputes within the Obama administration's national security apparatus, which experts who witnessed deliberations characterized to Yahoo as reset hangover, delayed a comprehensive response until December 2016, after the last U.S. presidential election. That response took the form of the expulsion of more than 30 Russian diplomats declared persona non grata for their involvement in the espionage campaign. It also involved U.S. seizure of two comfortable vacation homes, both with nice proximity to the ocean, used by the Russian delegation - one on Long Island, N.Y., and the other on Maryland's Eastern Shore.
Dave Bittner: [00:03:26] The FBI began to move to alternative communications systems after suspecting something was up in 2012. Observers describe that move as expensive. One of the questions the Russian operation aroused is the possibility that the espionage campaign wasn't simply a technical achievement - although it seems clearly to have been that - but rather a technical achievement enabled by an internal turncoat, a mole.
Dave Bittner: [00:03:53] There is also a mole hunt underway in Canada. On Friday, a senior member of the Royal Canadian Mounted Police, the RCMP - colloquially, the Mounties - Cameron Ortis has been charged under Canada's Information Security Act, CBC reports. Mr. Ortis had been serving as director general of the RCMP's National Intelligence Coordination Centre. He is alleged to have been in improper contact with Russian entities. It's not known what information, if any, he may have passed on. There's some hope that he was stopped before he was able to transfer any sensitive information.
Dave Bittner: [00:04:29] The government has been relatively tight-lipped about the case, but Crown counsel did tell reporters, without going into too much detail, it's alleged he obtained, stored and processed sensitive information, the Crown believes, with the intent to communicate that information with people he shouldn't be communicating to. He's been charged under the Security of Information Act with unauthorized communication of special operational information and with preparing for the commission of an offense by obtaining or gaining access to information or possessing any device, apparatus or software used for concealing, surreptitiously communicating or obtaining information. He was not charged with sharing information with a foreign government, which has led some observers to hope that nothing, in fact, reached the Russians. He also faces charges under Canada's Criminal Code, including breach of trust by a public officer and unauthorized use of a computer.
Dave Bittner: [00:05:29] Why would Russian intelligence be interested in the RCMP? They're Canada's national police service is why, and they have a counterintelligence role that's roughly analogous to that of the U.S. FBI. The Globe and Mail says that Mr. Ortis was also running the Canadian side of an inquiry into Russian money laundering, which would also have piqued Russian interest. The other Four Eyes will be watching developments of the case closely, since the compromise, should one have occurred, could affect the services of Australia, New Zealand and the United Kingdom and the United States. The RCMP wasn't saying whether Mr. Ortis still had a job with the Mounties, but we're betting at the very least that he's been placed on indefinite leave and probably isn't welcome back in the SCIF until any of these possible misunderstandings are cleared up.
Dave Bittner: [00:06:22] Reuters reports what's long been suspected. The Australian Signals Directorate concluded in March that Chinese intelligence services were responsible for penetrating networks of Parliament and three major parties - the Liberals, the Nationals and Labor. The government did not make the conclusion public, sources tell Reuters, because of concerns that doing so would disrupt bilateral trade negotiations. So given that the anonymice have begun chatting with Reuters, the anonymice at least don't care so much about bilateral trade talks.
Dave Bittner: [00:06:57] On Friday, the U.S. Treasury Department announced sanctions against North Korean hacking organizations, units of that country's principal intelligence service, the Reconnaissance General Bureau. Three outfits were specifically singled out - the Lazarus Group, also known as HIDDEN COBRA, and two of its subordinate organizations, Bluenoroff and Andariel. Treasury holds the Lazarus Group responsible for WannaCry and the Sony hack. Bluenoroff has specialized in attacks on the SWIFT financial transfer system, Andariel in carding and ATM theft. One might wonder what, at this point, is left to sanction in North Korea, but there remain many good reasons for calling out the RGB's cat paws and for naming individual actors, getting them on a range of watchlists.
Dave Bittner: [00:07:46] If all politics is local, online election influence seems to be moving in that direction as well. Meduza's account of how Russian influence operations have evolved since 2016 shows more attention to the details of advertising, more attention to domestic elections and more listicles. The attention being paid to domestic elections is noteworthy. Apparently, embarrassment and irritation over what President Putin took to be unwelcome encouragement of dissident factions in Russian public life, such as it is, drove that 2010 effort to up Russia's espionage game in the United States.
Dave Bittner: [00:08:23] After all of this wrangling among rival intelligence services, we close with a few reminders that there are other security concerns in cyberspace. Google's Project Zero tweeted in the wee hours last night that the LastPass password manager could, under certain circumstances, leak credentials from a previously visited site. It seems to be an actual possibility, but one that requires relatively complicated user interaction to accomplish. It also seems limited to browser extensions in Chrome and Opera. LastPass' response isn't quite a physician - heal thyself in the direction of Google - but anyhoo, Chrome users take note. We'll see how this story develops.
Dave Bittner: [00:09:06] And speaking of Google, there are a lot of very nosy flashlight apps in the Play store. How much does a flashlight app really need to know about you, really? Not as much as it's asking, Avast suggests. It seems that a lot of those permissions are requested in the service of monetization on behalf of ad partners. Fifty to seventy permissions seems like a lot for a flashlight to need if it's simply in the business of helping you find your keys at the tail end of a fun night. And why would the flashlight demand permission to record audio? At any rate, beware of the flashlight. It's supposed to be revealing your surroundings to you, and not vice versa.
Dave Bittner: [00:09:50] And now a word from our sponsor Dragos, the leaders in industrial cybersecurity technology. Threats to electric infrastructure are progressing in both frequency and sophistication. In their latest white paper and webinar, Dragos reanalyzes the 2016 Ukraine cyberattack to reveal previously unknown information about the CRASHOVERRIDE malware, its intentions and why it has far more serious and complex implications for the electric community than originally assessed. Learn more about CRASHOVERRIDE and what defenses to take to combat future sophisticated cyberattacks by reading the white paper at dragos.com/white-papers or watching their webinar at dragos.com/webinars. To learn more about Dragos' intelligence-driven approach to industrial cybersecurity, register for a free 30-day trial of their ICS threat intelligence at dragos.com/worldview. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:11:01] And joining me once again is Justin Harvey. He's the global incident response leader at Accenture. Justin, it's always great to have you back. I wanted to touch base with you today about HTTPS and some things that are going on with that when it comes to phishing. What can you share with us?
Justin Harvey: [00:11:18] Well, it's the magical green safe icon we've been conditioned to trust, but it's actually turning out that the trust shouldn't be implicit. And we know that the green icon means that our data is safe in motion. We can all agree on that. If you have your browser and that green safe is up there or your green bar - or the black safe, if you're using Chrome - that means that your browser has negotiated a TLS protocol with the web server, and intruders or attackers or adversaries that are sitting between you and that web site can't see your data.
Justin Harvey: [00:11:56] But what we don't take into account is what happens when it gets to the destination, and what we're seeing is a trend in attackers that are not only using the approach to take a domain name or company name and change the 1 to an L or changing an O to a 0, but they're also putting in SSL certificates, so that really gives users a little bit of more trust in that site because we condition them. Hey, if it's a green safe, you're OK.
Dave Bittner: [00:12:29] So is it the fact of the matter that SSL certificates aren't that hard to come by these days?
Justin Harvey: [00:12:34] Yes. In fact, we're seeing a trend where SSL certificates are actually making it through the signing process in, probably, instances where they shouldn't. Most notably are the domains that are just like real companies' but they've got a few characters transposed. And given how easy it is for adversaries to get their own compute power, their own web servers on the cloud - there are even virtual cloud data centers that you can pay in bitcoin. It makes it very easy to get a mimic-style domain, go register and SSL certificate and essentially run your own business email compromise portal out of there with your misnamed sites and your SSL certificates.
Justin Harvey: [00:13:19] Now, while they are valid, they're not quite - I wouldn't really call them fake. They're really just - maybe the right term is faux here, Dave. But they're not actually signing them in a fake sort of way. They're getting them signed so that they can be that green icon. It's just that the cert providers are not putting a stringent process on that, and when users are using their browser either on mobile or PC or Mac or Linux, they go to these sites, and then they automatically trust them because of the green icon.
Dave Bittner: [00:13:49] Well, so - I mean, let's approach solutions to this from two directions. I mean, there's the technical side, and there's the human side.
Justin Harvey: [00:13:55] Clearly, on the technical side, the best approach is to have a little bit more of a stringent process on signing certificates, but I can only imagine the enormity of that problem out there given the speed at which domains are being registered and certs are being signed. And on the human aspect to this, I would say that this is more of a medium-to-small businesses that are targeted with this style of attack. If you are part of the big businesses, they are usually policing a lot of the domains out there, trying to police a lot of the certificates. But you see with the medium and small providers, they don't have that sort of vigilance, so their users are getting duped into this sort of operation.
Justin Harvey: [00:14:42] You've also got to look at how this is being delivered to the victims - usually phishing attacks or SMS-style phishing attacks or even voice attacks - so calling up and doing a little bit of social engineering. I think that being able to train your personnel, your customers, your employees about this risk with an ongoing security awareness training program is a good step forward for it.
Dave Bittner: [00:15:07] And, I guess, looking at that little lock icon and taking it with a grain of salt.
Justin Harvey: [00:15:12] That's right. If the nature of the reason you're accessing this site is that you got a text or an email from your bank or from a social media site - they're trying to create a compelling event. They're trying to get you to say, oh, my gosh. I need to stop what I'm doing now and log in. The best course of action no matter where it comes from is to go and use your browser and type in the website and go to there and see if that alert exists or simply call into wherever it is and ask them if this is their valid communication to you.
Dave Bittner: [00:15:49] And go look up that phone number. Don't use the number that they may provide you with, right?
Justin Harvey: [00:15:53] Exactly.
Dave Bittner: [00:15:54] Yeah. All right. Well, Justin Harvey, thanks for joining us.
Justin Harvey: [00:15:57] Thank you.
Dave Bittner: [00:16:03] And that's the CyberWire.
Dave Bittner: [00:16:04] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:16:15] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence, and every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:16:44] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.