Spearphishing the UN and NGOs. Clickware kicked out of app stores. ICS security notes. Close-reading the Turla false-flag reports. A good use for the dark web. Senators call for investigations.
Dave Bittner: [00:00:03] A spear-phishing campaign is found targeting humanitarian, aid and policy organizations. Google and Apple removed click fraud-infested apps from their stores; a last look back at SecurityWeek's 2019 ICS Cyber Security Conference, which wrapped up in Atlanta yesterday afternoon; close-reading GCHQ and NSA advisories. The BBC takes to the dark web in a good way. And senators call for investigations of Amazon and TikTok.
Dave Bittner: [00:00:37] And now a word from our sponsor, ExtraHop, delivering cloud-native network detection and response for the hybrid enterprise. The cloud helps your organization move fast, but hybrid isn't easy. Most cloud threats fall on customers to resolve, and prevention-based security wasn't designed for the modern attack surface. That's why Gartner predicts that 60% of enterprise security budgets will go towards detection and response in 2020. ExtraHop Reveal(x) Cloud is the only SaaS-based network detection and response solution for AWS with complete visibility, real-time threat detection and automated response powered by cloud-scale machine learning. Request your 30-day free trial of Reveal(x) Cloud at extrahop.com/trial. That's extrahop.com/trial. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built by the power of harnessing 1 billion threat sensors from device to cloud, intelligence that enables you to respond to your environment and insights that empower you to change it. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:01:55] From the CyberWire studios a DataTribe, I'm Dave Bittner with your CyberWire summary for Friday, October 25, 2019. Security firm Lookout has found a large phishing campaign targeting United Nations agencies and a range of aid, humanitarian, policy and academic organizations. Lookout researchers say the infrastructure used to conduct the spear-phishing has been in place since March. They emphasize it is targeted to individuals in the affected organizations. The targets Lookout identified include the Red Cross, UNICEF and the UN's World Food and Development programs. There were also think tanks and advocacy groups on the list - organizations like The Heritage Foundation, the United States Institute of Peace, and the University of California San Diego. Lookout made no attribution and said it had no basis for speculation. So the threat actor behind the campaign could be anyone from a criminal gang to a nation state.
Dave Bittner: [00:02:56] Google scrubbed 42 apps from the Play Store that served Ashas adware. The Bratislava-based security firm ESET discovered Ashas, which has been active for about a year. Google was quick to give the bad apps a summary heave-ho out of the Play Store, but ESET reminds everyone that old apps never die. They just fade away into dodgy third-party stores. The researchers traced the developer of Ashas to a university in Vietnam where one wishes the students would stick to their books. Malware development can end badly. Just ask that guy at Rutgers who put together Mirai a couple of years ago.
Dave Bittner: [00:03:35] In another purge, Apple removed 17 Trojanized iOS apps that London-based mobile security shop Wandera identified and reported. The apps were infested with clickware and, according to Indian media site Gadgets Now, were the work of AppAspect Technologies. Wandera explains clickware is a well-known class of unwanted programs. A clicker's principal uses include the obvious one of goosing the number of interactions with an ad, thereby increasing revenue under the common and entirely legitimate pay-per-click advertising model. A more subtle use, which our crimeware desk is embarrassed to say hadn't really occurred to them until Wandera pointed it out, is to hit a competitor by artificially inflating the clicks on a competitor's ad, which in turn increases the amount of money that competitor will owe the ad network.
Dave Bittner: [00:04:27] SecurityWeek's 2019 ICS Cyber Security Conference wrapped up yesterday afternoon in Atlanta. The conference showed, as it has in past years, a more even mix of clients and vendors than one often sees at such events. The last day's discussions returned to themes that had been prominent throughout the week, especially the centrality of process integrity and the importance of attention to sound security fundamentals. The former point's prominence showed a maturation of the ICS security community's understanding of the challenges it faces and also the waning of the familiar complaint that industrial cybersecurity remains too dominated by those who've come up through the information assurance ranks. And that second point, while certainly is not a new one, is far from being banal.
Dave Bittner: [00:05:12] CyberX's Phil Neray presented his company's annual risk report, and those interested in seeing some of the reasons why the basics continue to matter need look no further. CyberX gives a numerical score with its assessments. They recommend an 80 as a passing grade, and across the industrial sectors they observed, the grades aren't encouraging. Oil and gas comes out the best with 74. Energy and utilities is second best at 70. Manufacturing, 63; pharmaceuticals and chemicals, 62; and other, 62, are the laggards. The median security score CyberX awards across all industrial sectors is a 69. The Baltimore high school we've got the most recent experience with would grade that numerical score as an F. Sure, you'll want to say it's a high F, call it an F-plus, but still no good.
Dave Bittner: [00:06:08] The Russian embassy to the UK has told Reuters that reports of Turla piggybacking on Iranian attack methods are unsavory misreadings of GCHQ and NSA warnings. So Turla didn't do nothing. And besides, who's this Turla anyhoo? But the denial is better than most. The embassy diplomatically doesn't slang either GCHQ or NSA, with both of whom we'd think Moscow has plenty of beefs, but rather recommends close reading what the two agencies have actually said. So the press has got it wrong, say the diplomats. We don't know. We read this stuff, too, and it seems pretty clear to us - the Russian threat actor Turla, also known as Venomous Bear, was flying an Iranian false flag.
Dave Bittner: [00:06:55] The dark web gets more bad press than good, but it's worth noting that it has its benign uses, like the BBC's adoption of TOR to help its users avoid censorship by repressive governments. The network particularly mentions China, Iran, and Vietnam as countries who have sought to restrict its content. The BBC News International site will be available in the mirror, as will the BBC's Arabic, Persian, and Russian services.
Dave Bittner: [00:07:23] US Senators Wyden, Democrat of Oregon, and Warren, Democrat of Massachusetts, have asked the Federal Trade Commission to investigate any role Amazon may have had in the Capital One breach. The Washington Post reports that Senators Cotton, Republican of Arkansas, and Schumer, Democrat of New York, have asked the intelligence community to determine whether the Chinese-owned social network TikTok represented a security threat. With respect to content moderation, TikTok told BuzzFeed its moderators are in the US, not China. BuzzFeed goes on to point out that, in fact, there have been some pro-Hong Kong protester posts on TikTok. The story says they appear to have been put there more to just see if they'd go through, so the effort hardly seems to rise even to the low level of slacktivism. Anyway, TikTok says its content moderation standards are being upheld by an American unit, not a Chinese one. How relevant that may be is unclear. After all, the NBA is pretty much American, and they've been playing the Washington Generals to Beijing's Harlem Globetrotters for some time.
Dave Bittner: [00:08:33] And now a word from our sponsor, Dragos. Cyberattacks on oil and gas environments are continuing to progress in frequency and sophistication. Attackers are creating tailored attacks to cause significant operational and financial impacts, and most importantly, they're becoming aware they can overcome automated safeguards to cause physical effects and harm the lives of those who work in the facilities. Read the latest case study from Dragos to learn how they helped an oil and gas organization ensure it had detections and response plans against TRISIS-like activity on its networks and comprehensively defend its environment. You can find it at dragos.com/case-studies. That's dragos.com/case-studies. And we thank Dragos for sponsoring our show.
Dave Bittner: [00:09:31] And joining me once again is David Dufour. He's the vice president of engineering and cybersecurity at Webroot. David, it's always great to have you back. I wanted to talk today about phishing attacks. I know you all at Webroot have been doing some research on this, and you've got some statistics to share with us.
David Dufour: [00:09:47] That's exactly right, David. As always, great to be back. And phishing, you know, people - it seems like we always talk about phishing, but it remains the number one way that people are attacked or exposed online through cyberattacks. So it's always something important that we should talk about.
Dave Bittner: [00:10:04] Well, let's go through your research together. You've got some interesting findings here.
David Dufour: [00:10:08] Yeah, so we did a survey, a pretty extensive survey. One of the biggest things is people really feel like they can identify a phishing email. And believe it or not, they're struggling. And a lot of this - you know, you and I both can identify the email from the Nigerian prince who's going to send us $50 million, right?
Dave Bittner: [00:10:27] Right.
David Dufour: [00:10:27] But that's not what phishing email are anymore, David. They're hyperfocused on improved spelling, improved grammar, and they are becoming more psychologically focused, where they're trying to get you to react rather than just saying, hey, maybe you can get a million dollars, or hey, it's your bank; maybe you should call us. They're really trying to play on things like - it's, hey, this is your boss; I need something urgently. Or this is your financial institution. Your account's been hacked; we need you to click here right now and update your account information. They're really getting good at that psychological component.
Dave Bittner: [00:11:02] So is there a little bit of a disconnect there, where maybe people feel as though they're better at distinguishing them than they actually are?
David Dufour: [00:11:10] There's not only a little bit of a disconnect; it's huge. Around 80% of folks really, genuinely feel like that they can identify it, but then once we start drilling into interviewing, they're struggling with finding phishing emails because they still hearken back to the days of the poor grammar and things like that. But in addition to that, most people think phishing attacks only come through email. And that is the primary vehicle, but we're seeing large attacks - we're seeing a 60% increase in attack attempts through social media. We're seeing increases through SMS attacks and phone calls. People forget about phone calls, as well. So it's absolutely growing.
Dave Bittner: [00:11:50] And what's the answer here? How do we protect people against this?
David Dufour: [00:11:54] Well, one of the number one things, David - and you're going to roll your eyes because I was shocked at this and would not have believed it - 35% of people who've been phished did not change their password on the account that was phished. So they knew they'd been phished. They knew they clicked the link. They knew they entered their credentials. They did not go back and change their password. So if you do nothing at all, nothing, change your password if you've been phished.
Dave Bittner: [00:12:24] Now, what about from the employer's point of view? Is this something where I'm going to get my money's worth on my investment on training for my employees, maybe sending them test messages, test phishing messages - that sort of thing?
David Dufour: [00:12:36] Yes. So we're a huge proponent of that because the number one thing you can do in terms of if you're an employer is to train your employees to identify phishing emails and what to do with it. Obviously, if people don't know what a phishing email looks like, they don't know how to respond to it. So training is always imperative because they're playing psychologically on folks.
David Dufour: [00:12:57] And the second part of that is, what do they do if they suspect a phishing email or if they've been phished? You know, the - people can be embarrassed. They can be a little bit like, oh, my gosh, I'm going to get in trouble. You have to spell it out that you're not going to get in trouble. And in fact, if you have been phished, it's imperative that you tell your organization because then they have tools they can put in place to monitor, you know, for activity around that phish. So it's really important that you let people know. All of us get phished, David. It's not a question of if; it's more of a question of when.
Dave Bittner: [00:13:29] Yeah. So there's no shame in admitting it.
David Dufour: [00:13:32] That's exactly right. Doing so really will help your organization. But again, back to what your organization can do - continuous training, always making sure people are aware of what to do, that's the number one thing.
Dave Bittner: [00:13:44] All right. Well, the blog post is "Hook, Line, and Sinker: Why Phishing Attacks Work." It's over on the Webroot website. David Dufour, thanks for joining us.
David Dufour: [00:13:52] Great being here, David.
Dave Bittner: [00:13:58] Now it's time for a few words from our sponsor BlackBerry Cylance. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids. But to keep this savvier hoods' hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with the threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Deviant Ollam: [00:14:57] By working as I do in this industry, you start to see the world as not a series of constrained conditions that you must acclimate yourself to and submit yourself to, but you see the world as an environment that is under your control. And you say, well, if I don't like what I'm encountering here, if something's not working for me, I will just immediately use whatever I can on hand to change my environment. I will remake the situation to be better for me and those around me.
Dave Bittner: [00:15:25] That's the hacker who goes by the name of Deviant Ollam being interviewed by my guest today, author Jeremy N. Smith, for his new podcast series "The Hacker Next Door." I've spoken with Jeremy before about his book "Breaking and Entering: The Extraordinary Story of a Hacker Called 'Alien.'" In our most recent conversation, I asked him how writing that book led him to producing "The Hacker Next Door" podcast series.
Jeremy N. Smith: [00:15:50] Writing "Breaking and Entering" was really exciting to me because I had this main character who was a female hacker, who'd grown up with the information insecurity industry with hacking, as it went from a sort of skateboarding-like subculture to this, you know, $100 billion-plus industry. But I was not able to follow all the juicy side stories or dig in to all the other kind of characters I met along the course of my research and reporting. So I really wanted to be able to follow their stories and just give their voices a chance to be heard, too, and also represent the huge range of kinds of hackers and kinds of hacking that are out there and do that with 10 different people, 10 different kinds of hackers, 10 different kinds of hacking in this sort of spinoff series.
Dave Bittner: [00:16:42] So take us through some of the stories that you've gathered here on this podcast you've launched.
Jeremy N. Smith: [00:16:47] Sure. So I've got legendary lock-picker Deviant Ollam, who talks about lock picking and physical breaking and entering and his sort of mindset when he's sussing out a new scenario to break in, as well as the sort of hacker social scene and the convention scene and how that's grown up. I talked to Karen Springer, who is a COO, about managing and hiring a group of hackers. You know, how do you hire people whose job is to be devious? How do you manage them? And she's also a ransomware negotiator. So what that looks like - what's it like talking to the black hat hackers on a daily basis.
Jeremy N. Smith: [00:17:28] I talked to a African-American woman, Skylar Rampersaud, who's at Immunity Inc. But when she was 15 years old, she was recruited by the NSA, when she was, like, a sophomore in high school. And she ended up working with them for 12 years - so what that's like. I talked to Johnny Long, the founder of Hackers for Charity, about kind of rising in the hacker ranks, becoming really famous, prominent, popular and successful, but then that not satisfying him and feeling really empty inside and finding God and moving with himself and his entire family - including, I think, two, three kids - to Uganda for more than five years and setting up philanthropy entirely funded by the hacker community.
Jeremy N. Smith: [00:18:15] I've got hacker parents on raising hacker kids. I've got, you know, a L0pht member, Joe Grand, on a hardware hacking and his first public speaking experience, which was testifying before Congress when he was, like, 22 and sort of hosting the show "Prototype This!," which helped launch the autonomous vehicle industry, among other things. I've got Bugcrowd CEO Casey Ellis on what it's like to employ hundreds of thousands of hackers and the insight that gives him into the hacker economy and its ins and outs. I've got anthropologist Gabriella Coleman, who embedded with Anonymous for six years about what - seeing Anonymous blow up and then kind of get blown up was like from the inside and the virtues of online anonymity.
Jeremy N. Smith: [00:19:07] I've got hacktivist Katelyn Bowden with the BADASS Army about fighting revenge porn and organizing a hacktivist army. And sort of going back to Alien's roots and the MIT - the original building exploration hacker scene, where you're going onto rooftops; you're going up steam tunnels; you're going through elevator shafts, and you're doing these elaborate, ingenious pranks. I talked to Liana Lareau, who's - at her day job, is sort of hacking the human genome, but her background is in that kind of physical building access hacking at MIT - about the pranks she pulled as an undergraduate and the sort of transition between those worlds doing elaborate, amazing hacker-like art at Burning Man.
Dave Bittner: [00:19:53] Was there anything that struck you going through this process? I'm thinking of new things that you learned, new insights you've gained, beyond what you had learned when you were writing the "Alien" book?
Jeremy N. Smith: [00:20:07] Yeah, absolutely. So writing "Breaking and Entering," there were so many things I learned just about the history of hacking and its origins in physical exploration before computers, but then also what it looks like day in, day out, to be, you know, breaking and entering - the business. But writing this, I got a much better sense, I think, of hacker - I want to say culture, but ethics and also aesthetics.
Jeremy N. Smith: [00:20:32] So, you know, I remember the hacker parents were Caroline Hardin and Grant Doby (ph), who do a huge variety of stuff from hackathons, makerspaces, the kids area, r00tz Asylum at DEF CON, and talking about, what do I tell people who want to get their kids into hacking but are afraid that it will turn them into criminals? And I remember Grant just saying, well, anyone who has ever used duct tape for any purpose other than repairing duct work is a hacker...
Dave Bittner: [00:21:02] (Laughter).
Jeremy N. Smith: [00:21:02] ...And just sort of those sort of simple definitions of, you know, twisting something for a different purpose or kind of being smarter than the designer or the typical user or making your life and hopefully other people's lives easier. And Deviant, the lock-picker talked to that, too - you know, trying to improve the world through hacking and just those examples and those really grounded life stories, just getting to hear it in their own voices, just really helps me kind of convey that to other people because I started the podcast because I was still - even in giving talks about the book, people don't have an image of hackers. This is still a community and culture that does not have a public face. Even if you do a image search, you see literally no faces. It's all shadowed figures in hoodies or Guy Fawkes masks.
Jeremy N. Smith: [00:21:56] And I'd met, meanwhile, all these people, you know, diverse people. And the idea that a hacker could be a grown-up, a hacker could be a professional, a hacker could be a woman, a hacker could be a mother - those just super basic things were still mind-blowing to so many people. So to just have enough time and space to let the hackers speak for themselves, to show their positive side and how they got into it and what the world looks like from their perspective, that was too tempting to let pass.
Dave Bittner: [00:22:28] Is there any particular through line that you sensed as you went your way through these interviews? Is there a common thread here?
Jeremy N. Smith: [00:22:37] Yeah. I think nobody had their career on purpose. You know, all these people got into this world when this world was so new that they didn't know what they were getting into. They all kind of came in sideways or by accident, and they learned by doing. It wasn't having a big plan and doing it step by step; it was saying, oh, this is interesting. This is fun. I'm going to take this step, then that step and do this project and that growing, over time, to a reputation and eventually a community and kind of looking back as adults and saying, wow.
Jeremy N. Smith: [00:23:12] I think the other thing is that so many of them see that community as threatened one way or another or those ideals and ethics as threatened because it's so professional that the sort of private spaces hackers have made for themselves outside of government, outside of corporate control, are at risk. And the Internet itself has become so commercialized and so monocultured in some of the major platforms that control so much of the traffic that the idea of taking things apart, tinkering them, making them better, sharing that with friends, they see that as threatened, too.
Dave Bittner: [00:23:54] What do you hope people take away from this? Someone who listens to the 10-episode series, what are you hoping that they learn?
Jeremy N. Smith: [00:24:01] I want them to have a human face, or human voice in this case, to hackers and to realize how diverse hacking can be and how positive many of the outlets are. In my talks, I often make the analogy to being a surgeon. Two hundred years ago, if you did a Google image search - if Google image had existed - for surgeon, you would have found gravedigger, body snatcher, murderer. And as that profession has come out of the shadows, obviously, it's white lab coat, it's saving lives, it's opening bodies to save lives. And I think we need to make that transition with hackers themselves.
Jeremy N. Smith: [00:24:43] And I think hackers need to have a positive public image for themselves to refer to. I think it hurts the community itself to not have these virtuous examples represented because we don't know how the insides of the systems we all rely on work unless we're hearing from hackers. And if we're afraid of them, we can't hear what they're saying.
Dave Bittner: [00:25:05] That's Jeremy N. Smith. His new 10-part podcast series is titled "The Hacker Next Door." And that's the CyberWire.
Dave Bittner: [00:25:18] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:25:29] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you tomorrow.