Cyber Weekly Roundup – August 25, 2017

Weekly Roundup

Cyber Weekly Roundup – August 25, 2017

By Andrew Paulette and Mesay Degefu

1.) Show the proof, or cut it out with the Kaspersky Lab Russia rumors (August 25, 2017)

http://www.csoonline.com/article/3219848/vulnerabilities/show-the-proof-or-cut-it-out-with-the-kaspersky-lab-russia-rumors.html

Summary: By nature of the job, security professionals tend to be skeptical and overly suspicious, but the good ones are also good at weighing the evidence before making their decisions. Which is why it’s so perplexing that rumors about Moscow-based security company Kaspersky Lab being in bed with the Russian government keep swirling, absent any proof.

Why it matters: While concerns over backdoors in a foreign security software are worth addressing, so far there has not been any concrete evidence that Kaspersky is actively working to undermine and exfiltrate information from their clients to the Russian government.  Most of the proof used to support these claims has come from instances where Kaspersky has assisted Russia’s intelligence agency, the FSB, with creating a tool to fight DDoS attacks.  As the article states, “security companies – even U.S.-based ones – regularly work with law enforcement and security researchers together to dismantle some of the world’s largest botnets over the past few years.” While there are legitimate concerns to Russia’s strategy and operations in cyberspace, allowing this concern to seep into businesses and the citizens of a foreign nation without providing proof will lead to further conflict with foreign powers, instead of resolution.

2.) Beware of Windows/MacOs/Linux Virus Spreading Through Facebook Messenger (August 24, 2017)

http://thehackernews.com/2017/08/facebook-virus-hacking.html

Summary: If you came across any Facebook message with a video link sent by anyone, even your friend — just don’t click on it. Security researchers at Kaspersky Lab have spotted an ongoing cross-platform campaign on Facebook Messenger, where users receive a video link that redirects them to a fake website, luring them to install malicious software.

Why it matters: While the malware described in this article is less of a threat compared to Ransomware, Trojans, or exploit kits, it is still interesting to note that the adware installed on the victim’s computer was cross-platform. Designing malware which takes advantage of multiple operating systems is not common, so it shows an additional degree of initiative on the part of the malware developers to ensure that the maximum number of users are affected.

3.) Easy-to-Use Apps Allow Anyone to Create Android Ransomware Within Seconds (August 24, 2017)

http://thehackernews.com/2017/08/create-android-ransomware.html

Summary: Ransomware threat is on the rise, and cyber criminals are making millions of dollars by victimizing as many people as they can—with WannaCry, NotPetya and LeakerLocker being the ransomware threats that made headlines recently.

Why it matters: Malware developers continue to find new ways to target a large audience by simplifying the creation of Ransomware.  By choosing Android as the service that creates the malware, and the platform that is attacked by this Ransomware, they extend their market to a platform that has still not seen ransowmare attacks on the scale of those seen against the Windows platform.

4.) White House cybersecurity coordinator warns against using Kaspersky Lab software (August 22, 2017)

https://www.cbsnews.com/news/kasperksy-lab-software-suspected-ties-russian-intelligence-rob-joyce/

Summary: Rob Joyce, the Trump administration’s cybersecurity coordinator, said Tuesday the U.S. is lacking 300,000 cybersecurity experts needed to defend the country. He also had a warning for the public about using software from Kaspersky Lab. U.S. officials believe the company has ties to the Kremlin — and the federal government has vowed not to use its products.

Why it matters: For a long time, software has been used to introduce malicious code. In this case, a popular anti-virus software (Kaspersky) is suspected to feed valuable information to Russian intelligence. Since globalization, it has been tough to impose a policy associated with technology products, especially for software. Without more intel, it is difficult to figure out what programs are imbedded into the software. Although the current software import law is directed toward piracy, it is important to create a law that addresses software imports. In addition, it is important to focus on software that is embedded into hardware. When entering the US, the current Customs and Border Protection import policy requires hardware to be registered, but it does not require the inspection of software that is imbedded into hardware. Policy makers should consider revising this policy.

5.) U.S. Navy considers possibility of cyber attack after another ship collision (August 22, 2017)

http://www.csoonline.com/article/3218724/security/navy-considering-possibility-of-cyberattack-after-another-ship-collision.html

Summary: After the collision of the USS John S McCain and a Liberian-flagged tanker near Singapore on Monday, Chief of Naval Operations Adm. John Richardson ordered an operation pause while the U.S. Navy investigates the cause, including any possible cyber attack angle.

Why it matters: It is too early to point the finger at any form of cyber campaign to disrupt the movements of the USS John S McCain that may have led to its collision with a Liberian Oil Tanker earlier this week.  That said, this article reminds us of the risks of technology – especially the increasing use of internet connectivity and automation in large pieces of machinery. While there is no doubt that the ability to automate leads to a force multiplier as it frees up crews to focus on other efforts, the risks of attack and manipulation of these systems via cyber attacks is a serious risk that must have the appropriate controls in place to protect the system, allow users to detect when attacks are occurring, and allow for recovery of controls should the a cyber attack be successful.

6.) Blowing the Whistle on Bad Attribution (August 18, 2017)

https://krebsonsecurity.com/2017/08/blowing-the-whistle-on-bad-attribution/

Summary: The New York Times this week published a fascinating story about a young programmer in Ukraine who’d turned himself in to the local police. The Times says the man did so after one of his software tools was identified by the U.S. government as part of the arsenal used by Russian hackers suspected of hacking into the Democratic National Committee (DNC) last year. It’s a good read, as long as you can ignore that the premise of the piece is completely wrong.

Why it matters: If nothing else, this story by Krebs reminds us that attribution is hard, and cannot rely on one source of information to unmask attackers. While the New York Times article was no doubt well-intentioned, that fact that the article relied so heavily on the GRIZZLYSTEPPE report, noted by cybersecurity professionals for its broad general set of Indicators of Compromise, doomed the piece from the beginning. Attribution is best left to those with the technical means and experience to infer an attackers identity through various data points.

7.) Email Provider ProtonMail Says It Hacked Back, Then Walks Claim Back (August 16, 2017)

https://motherboard.vice.com/en_us/article/qvvke7/email-provider-protonmail-says-it-hacked-back-then-walks-claim-back

Summary: Hacking back, when companies retaliate against cybercriminals, likely happens a lot more than the public realizes. Whether a firm decides to gather intelligence on who is attacking its customers, or perhaps wipe stolen data from a server, hacking back is controversial. And people typically don’t tweet about it. On Wednesday, encrypted email provider ProtonMail claimed it had hacked someone who was impersonating its service in phishing emails, and the company then swiftly deleted the tweet.

Why it matters: Currently, hacking back against attacks is illegal, which makes the fact that ProtonMail tweeted their actions surprising. While policy has been introduced to legalize this practice, it has been met with criticism due to the risks involved with letting organizations conduct “reconnaissance” against C2 servers which may cross international boundaries and interfere with intelligence and law enforcement investigations. While there is no doubt that plenty of individuals and organizations are participating in “hacking back” and while there is no doubt many of these activities are beneficial to end users, it still remains best practice not to broadcast one’s efforts of hacking back.