Why Russian Propaganda Botnets Can Hurt American Companies

The latest deployment of Russian botnets directed at American politics was truly stunning. It happened via social media. One can only hope that it will notch up the urgency for government and businesses to address the serious threat that botnets have become.

I refer to House Republicans recently spreading word about a top-secret memo that purportedly showed that Democrats were in cahoots with the FBI in the investigation of the Trump campaign on allegations of collusion with Russia and subsequent obstruction of justice. Soon after the story broke, Russian botnets unleashed what has now come to be known as the  #Releasethememo campaign, which instantly became a top trending hashtag among Russian bots and trolls on Twitter. It seems like a good guess that this botnet activity was aimed at adding validity to the memo in question by intimating a cover-up.

The most alarming aspect of this botnet activity is how good it is. It really does look legitimate to the untrained, and even semi-trained, eye. We now know Russian botnets fueled wildly conflicting polling results during the 2016 presidential race, and fabricated 6.1 million Twitter followers for then-candidate Donald Trump, but it's starting to look like that was just a test run.

Adding legitimacy

This scale of these operations is made possible by botnets, the engines of cybercrime. A "bot'" is a computing device poised to receive and carry out instructions from a controller. A botnet is a collection of thousands of bots reporting to a single controller.

Botnets distribute email spam and phishing attacks, probe websites for weaknesses and carry out distributed denial of service (DDoS) attacks. And, increasingly, they're becoming a lever in high-stakes political discourse.

Botnets are well-suited to creating and maintaining myriad Twitter accounts, and using social engineering tactics to assemble vast followings. "Once these seed accounts are well established, the initial propaganda tweets can rapidly gain significant exposure," says Andrew Jones, senior sales engineer at Shape Security. "This adds legitimacy later when bots begin to subsidize any human sponsored retweets or posts related to the propaganda to attract further attention."

Rising presence and threat

Their use in propaganda campaigns underscores how pernicious botnets can be. And this trend is on the rise. The Spamhaus Project, a nonprofit that tracks cyber threats, counted a 32% increase in active botnet controllers in 2017. Significantly, many of these controllers leveraged virtual instances of computers spun up in the cloud--computing power made available by Amazon, Google, Microsoft and other cloud services providers.

SpamHaus also found that botnets comprised of Internet of Things (IoT) devices more than doubled to 943 in 2017, up from 393 in 2016. This is particularly bad news that points to the establishment of much larger and more powerful botnets made up of infected home routers, web cams, smart TVs and the like.

Despite the nature of the threat posed by botnets, the issue is still an abstraction for most consumers and businesses. That's understandable given the complex digital age we live in. But until public awareness is raised considerably, the impetus to do something substantive isn't likely to get much traction. One way to do this is to point at the messenger (i.e., the propaganda machine). What is now pointed at political issues can be easily directed at a competitor in business.

If there is any good news, it is that organizations like the National Institute of Standards and Technology and the National Council of Information Sharing and Analysis Centers have been methodically striving to address the networking flaws exploited by botnets. And just this month, the National Telecommunications and Information Administration issued a report specifically addressing botnets.

NTIA is calling upon other federal agencies to seek out partnerships with private industry to implement six "principal themes" and five "complementary and supportive goals" designed to mitigate botnet threats.

Focus on the problem

Meanwhile, innovative cyber defense technologies are getting more widely leveraged every day. Shape Security, Spamhaus and many other vendors are growing by helping companies proactively detect and deflect botnet traffic.  

"Companies can challenge the bot to prove that it is a human, using various puzzles, and machine learning to determine if it is a real user," says Rami Essaid, chief product and strategy officer at Distil Networks, another of these vendors. "All of this should happen in real-time before the bot gains access to the site."

Someday, botnets could be ushered into obsolescence by networks designed to repel them. We're a long way from that day. The social media platforms need to step up to the plate, and it may be necessary for Congress to add teeth to best practices protocols.

In the meantime, companies of all sizes should become well-acquainted with botnets, quantify how botnets may be hurting them, and do what's necessary to proactively vet botnet traffic.

"There are tools and services available now that can accomplish that differentiation," says Shape Security's Jones. "All we need to do is make sure they're deployed." The first step is realizing the potential vulnerability.

Next: Hackers Target Industrial Plants and Critical Infrastructure

There was a stunning cyberattack on a critical Middle Eastern infrastructure site recently and it hasn't gotten the public scrutiny it deserves. Triton (A.K.A. Trisis), a new strain of malware, was discovered last month via intelligence sharing reports provided by the security vendors FireEye and Dragos. The news was the latest in a series of public disclosures about progressively more sophisticated energy plant hacks.

The specter of attacks on the power grid and other systems is no longer a matter of speculation. Hackers are testing the protections for critical infrastructure, and energy plant operators need to take the threat seriously, as do the decision makers in the industrial sector at large.

Core finding

Security analysts uncovered malware designed to take over the Schneider Electric Triconex Safety Instrumented System (SIS) at an unnamed industrial site. SIS systems are routinely used in plant settings to monitor industrial processes, and shut them down if operating parameters approach a dangerous state.

Notably, it now appears that the Triton hackers inadvertently shut off the plant's SIS system in what may have been a botched reconnaissance operation, says Phil Neray, strategy vice president at Boston-based cybersecurity vendor CyberX.

"They had hacked into the controller of the safety system, which is there to shut everything down if something goes wrong," Neray observes.  "They evidently made a mistake and triggered the safety system to shut down the plant."

Hacking methodology

Experts say it's likely that the hackers initially used social engineering, perhaps a phishing ruse that prompted a plant employee to unwittingly share logon credentials to the SIS. The hackers would then have been able to embed the Triton malware in the SIS, and gain access to the system.

"Reconnaissance, pivoting, and dwelling at length within networks are common strategies for advanced hackers," says Satya Gupta, chief technology officer at Virsec Systems, a supplier of application security systems. "Their goal certainly would have been bigger than to trip a relatively benign shutdown."

This is a type of activity one would expect from rival nations preparing offensive and defensive strategies for cyberwar campaigns. As the attack vector becomes more defined, it gives rise to a question: How long have hackers been targeting infrastructure, and which past attacks were part of that campaign? That is unknowable, but the Triton revelation could change the way researchers view the Shamoon virus outbreaks that crippled office computers at Saudi energy companies in December 2012, and again in January 2017.

Wider implications

While stealth and misdirection are ruling principles in cyberwarfare--making attribution difficult if not impossible, it seems worth noting the Triton disclosure closed out a year in which hacking groups believed to be aligned with Russia, Iran and North Korea have been caught probing and accessing the back-office business networks of U.S. energy companies.

This flurry of activity prompted the FBI and the Department of Homeland Security to issue an amber alert warning about a wave of malware attacks targeting office workers at U.S. energy plants. Why go after office workers? Humans are always the weakest link in any security system. Industrial control systems are disconnected, or "air-gapped," from administrative systems, and thus considered intrinsically safe--but the people who operate them are not.

Malicious hackers are very good at what they do. Increased use of cloud computing and connected mobile devices (with questionable security) has made air-gapped security obsolete, and given rise to an incipient security nightmare. The alarming accomplishment of the Triton caper was the demonstration of how a phishing attack on the IT side of the house can be leveraged to hack into the OT, or operational technology, side of the house.

"Many legacy industrial control systems were designed with 'security by isolation,'" Gupta says. "However, with increasingly connected systems, isolation is hard to find, and it is not adequate as a security strategy."

While there may be no reason to panic yet, this progression of energy plant probes and intrusions ought to increase the urgency for the industrial sector to begin taking proactive steps to bake security into their IT and OT systems. It's time to address the air-gap gap.

The Phone Call That Changed the Way I Choose My Passwords, Forever

This past summer, I was at an amusement park with my family, when I received a call from an unlisted number. The call was from the fraud prevention department of my bank. What she asked me to do set off a chain reaction of events that took everything I knew about online security, and threw it out the window.

"Good afternoon ma'am, this is Katherine with the Fraud Prevention Department at [censored] Bank. We are calling to confirm an online purchase for $5,791.26 placed on [censored]'s website, two minutes ago."

My heart started pounding. Even being 85 degrees in Utah, I felt a shiver down my spine, as my blood ran cold. My mind was racing faster than the rides in front of me, and I had to remind myself to remain calm.

"No. Absolutely not! I've been here at the park for the last three hours. I think my card has been compromised."

The bank immediately questioned several other charges to my card. We worked backward until I recognized one as mine. Each was subsequently flagged as fraudulent. Assuring me everything would be fine, they reversed all suspicious charges. They also reverted back to my original address and phone information.

"A new card will be in the mail shortly. Have a good day. Thank you for banking with [censored]."

My family and I left the park immediately. I raced home to assess any further damage that might have been done. How was my data compromised and when did it happen? I didn't have an answer.

I've had the same username and password combination for the last nine years. Its strength has always maxed out any "password strength indicator." I used the DoD recommendation. Two numbers, two symbols, two lower case letters, two uppercase letters, no dictionary words, and no identifying information. I even implemented it as a random string of characters that I eventually memorized, to create a minimum character limit of 15 digits.

There was no way this was a password that could be cracked. It was perfect. But it was old.

It had also been expanded in its duties. All the while, it remained unmodified in strength. The password was being trusted to protect more online accounts than I had if counting all my fingers and toes.

As I was logging in to check each account, I noticed a glaring pattern. I wasn't changing the situation that allowed my banking information to be compromised. I was simply refreshing the situation with a single new password. As soon as I realized this, I began to panic again. Any of these sites could have been hacked, and would have my whole world in their hands all over again.

I immediately began researching how to protect myself from repeating this situation. While compiling a list of action items, I was discovering information that was startling. According to nearly every news article I found, I was committing numerous online security sins.

Here are four easy strategies I learned that have hopefully made me more secure:

1. Use a complex password that's difficult to guess.

I had an exceptionally difficult password, that would be all but impossible to guess. It was far too complex to memorize for multiple accounts. It was a representation of the DoD guidelines, without the obnoxious necessity of changing it every sixty days, as they recommended.

2. Avoid password re-use between accounts like the plague. 

According to data from threat prevention firm Preempt, 35 percent of adults use the same username and password for all accounts online. Of this large group, 87 percent of them prefer memorization as their method for keeping track of the password.

3. Change your passwords often

Keeping your passwords new and fresh, will ensure that if your data is part of a large breach, any hackers involved will have a very small window of opportunity to use your information.

4. Use a password management software

A password manager has multiple roles to help build and maintain a secure online presence. The software will store your passwords in an encrypted location on your device.

Then, the manager uses an autofill feature to enter your credentials, securely. If you are creating your own passwords, you are able to build a complex password, for each individual site's user credentials.

Are you living in a false sense of security? Being complacent can leave yourself open to disastrous results. Especially considering we are heading into 2018, where cybercriminals are predicted to have their most successful year of attacks ever.

How Flawed Intel Chips Could Ignite Next-Gen Hacking

Just when you thought it was impossible to use a connected device without getting hacked, 2018 arrives with the discovery of an entirely new class of network vulnerability built into the processors of virtually every computing device in active consumer and business use.

Two distinct hardware flaws - dubbed "Meltdown" and "Spectre" - were recently disclosed by white hat researchers. They did this responsibly. The hackers first notified the culpable parties, notably Intel and Microsoft, thereby giving the tech giants time to prepare and test patches, and make the workarounds ready for wide distribution. So far, there have been no publicly disclosed attacks leveraging either Meltdown or Spectre.

That's the extent of the good news. The full scope of the bad news, at the moment, is unknowable. While the threat at this point is theoretical, it would be foolish to downplay the notion that motivated threat actors have very likely begun to probe for ways to take advantage.

Ever expanding attackable surface

Cloud-based data centers that use Intel chips, according to Reuters, have begun looking into the possibility of building new infrastructure with chips supplied by rivals to avoid the vulnerabilities, while others appear to be pushing for Intel to offer big discounts.

Who can blame them? No one knew anything about Meltdown and Spectre when the ball dropped in a frigid Times Square to usher in 2018. Now the race is on to protect systems before threat actors figure out how to exploit them. It's vital for organizations to address this in a timely manner. 

Much like Heartbleed and Shellshock--the open-source software flaws disclosed in 2014--Meltdown and Spectre represent a heretofore overlooked class of systemic vulnerabilities. This time the vulnerability is baked into the hardware.  As corporate networks were being thrown together in the first decade of this century, technology vendors unknowingly distributed these flaws far and wide. At the time, the potential security implications were unthinkable.

"The problem was created because chip manufacturers found clever ways to improve chip performance, while inadvertently leaving backdoors to the inner sanctum -- where processing takes place on the chips," Satya Gupta told me. He's the founder and chief technology officer of Virsec Systems, a supplier of application security systems.

Consider that Meltdown and Spectre are present, not just in data centers, but also on just about every type of computing device in consumer and business use, including billions of smartphones. At least theoreticially, it provides malicious hackers with yet another access point to burrow deep into corporate networks and wreak havoc. Meltdown and Spectre expand an already vast attackable surface. 

Motivated attackers

While patches are available, patching often is costly and disruptive. Comprehensive mitigation of something as complex as Meltdown and Spectre is likely to take years, and may never be fully accounted for. Right on cue, things are getting off to a lugubrious start. Microsoft this week acknowledged that the patches available for Windows servers could significantly impact server performance. How do you think that will fly with corporations competing in a data-driven marketplace?

"Even though chip performance has grown exponentially over the last 20 years, it's never acceptable to force customers to take significant steps backwards in performance," observes Gupta.

Meanwhile, cyber criminals have to be exploring these new paths. In the cyber underground, there is no lack of motivation to innovate. Exploiting fresh vulnerabilities that lead to root access of devices and systems is the Holy Grail of hackers with malicious intent. If organizations don't make mitigation of this exposure a high priority, a run of opportunistic attacks likely will follow.

Meltdown and Spectre are sure to energize the best and brightest threat actors, be they profit-minded criminals or cyberwarfare operatives. The rising trepidation of Intel's cloud solution customers may be well founded. It's easy to imagine elite hackers developing and testing chip-level attacks to crack into cloud computing data centers where the most sensitive information is often stored by clients and consumers alike.

This should be a wake-up call for the many organizations that have yet to embrace well-established vulnerability patching best practices and assertively address this new exposure. But it probably won't be.

After all, Meltdown and Spectre have not yet been exploited in the wild, at least as far as we know. Sadly, a high-profile organization probably needs to be compromised before the solution to these chip vulnerabilities becomes as urgent a matter as it already should be.

VC Fred Wilson on Yubikeys

I saw my friend Chris tweet this question yesterday and had to respond:

Nick helped me get Yubikeys set up on all of the services I use that support them in the past few weeks. If I had a new year's resolution, which I don't, it would have been to start to use Yubikeys.

So what are Yubikeys?

They are a brand of "security keys" that are supported in the two factor authentication offerings at Google and many other Internet services.

They look like this:

Courtesy Yubico

Courtesy Yubico

You can buy Yubikeys here.

The idea is you keep one with you and one in a safe place in your office or home or a bank safe deposit box.

If you lose your phone, you have a Yubikey to get you back into the service.

But I don't only use Yubikeys as "backup codes," which I also keep stored safely.

I have started using my Yubikeys instead of a Google Authenticator code. It can be easier if you have the Yubikey handy.

But whatever you do, don't use SMS for two-factor codes.

I was hacked this summer and the attacker tried (unsuccessfully thankfully) to port my phone number.

My partner Albert recently experienced a similar attack. He wrote about it here.

So here is the best practice as I see it:

  1. Always use two-factor authentication if it is offered. And it is almost always offered on popular services.
  2. Don't use text messaging to deliver two-factor codes. It is not safe. You can have your number ported way too easily.
  3. Use Google Authenticator to deliver two-factor codes onto your phone.
  4. Use a Yubikey as a backup in case your phone is lost, stolen, or dropped in a swimming pool or toilet.
  5. Print out the backup codes to the two-factor services and put them in a safe place.

Personal data security is a big deal. Trust me on this. Don't let yourself get hacked to understand why.

And Yubikeys are a nice addition to the personal security mix. I like them a lot.

Small Businesses Are Most At Risk of Identity Theft During Tax Season, Says the IRS

While cybersecurity should be a year-round concern for small business owners, income tax filing season can bring some particular risks, according to the IRS.

The agency says it has gotten an increase in reports of attempts to obtain employees' W-2 forms in hopes of stealing people's personal information and identities. The scams often go after employees in companies' human resources and payroll departments, but any staffer or manager could be a target. In the scam, a potential thief poses as a company executive, sending an email from an address that might look legitimate, and requests a list of employees and their W-2s.

Owners need to be sure that anyone with access to employee records including W-2s understands that they shouldn't send the forms or staffer information to anyone without checking to be sure this isn't an attempted scam. The IRS also wants companies to report W-2 scam emails to the agency, and it also wants to know if anyone has become a victim. For more information, visit the IRS website, www.irs.gov , and search for "Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers."

The IRS also warns all taxpayers about emails that look like they're coming from the agency but that are phishing attempts aimed at getting harmful software into a PC or a server. The emails might say that the taxpayer has a refund waiting at the IRS, or that the agency needs more information from the taxpayer. There's likely to be a link or an attachment that the reader of the email is supposed to click on--and that's how thieves and hackers gain entry to a computer.

The IRS does not initiate contact with taxpayers by email, text messages or social media; it sends letters by U.S. mail. Company owners and their employees need to be on guard against all kinds of phishing scams, and no one should ever click on a link or attachment until they're completely sure the email is legitimate. And if an email says it's from the IRS, it's not.

Accountants and other tax professionals are also targets of thieves looking to steal personal information and identities, the IRS says. It has a page on its website devoted to providing paid tax preparers with information so they can protect themselves and their clients. The address is www.irs.gov/tax-professionals/protect-your-clients-protect-yourself

--The Associated Press

Tech Firms–and Users–Scramble to Address Major Security Flaws Found in Nearly All Computers and Phones

What happened?

Details emerged yesterday about two major security flaws in the processors used in most computers and phones, and many technology companies are scrambling to issue fixes for their customers. The two vulnerabilities, known as Meltdown and Spectre, affect the vast majority of computing devices made since the 1990s, with Meltdown impacting devices that utilize Intel processors, and Spectre more broadly affecting machines using chips made by Intel, AMD, and ARM Holdings.

Meltdown and Spectre -- discovered by folks working at Google's Project Zero in conjunction with researchers from several countries -- allow attackers to compromise people's computers by exploiting mistakes in the way that processors handle the memory used by multiple processes running at the same time -- the bugs potentially allow a criminal to access memory containing passwords or other private information, as well as to capture users' keystrokes and mouse/tap input. Anyone accessing any website that uses JavaScript (i.e., pretty much everyone) could be at risk of attack if a website being accessed has been compromised and exploit code loaded onto it.

In an interview with Reuters, Daniel Gruss, one of the researchers who discovered Meltdown, described the bug as "probably one of the worst CPU bugs ever found."

How should you protect yourself?

Sadly, the answer is somewhat complicated:

For various technical reasons, Spectre is a difficult flaw to fix, and, to be blunt, we will likely be suffering from its vulnerability for quite some time; it is unlikely that software providers will be able to provide fixes -- so we must hope that the hardware firms find a way to address it. The good news, however, is that Spectre appears to be an extremely difficult vulnerability to exploit.

As fat as Meltdown, Microsoft and Apple have issued operating system patches -- so make sure to keep your devices up to date; some users of third-party anti-virus software may not automatically receive the Microsoft patch. Also, Microsoft, Google, and Mozilla have all issued patches for their web browsers -- to defend against exploitation via browsing - so make sure that you have the latest version of your browser (which most people will have via auto-update).

Adding to the mix, however, is a monkey wrench: Some folks claim that installing the patches slows down computers using Intel chips by as much as 30 percent.

Eventually, there will likely also be BIOS updates available as downloads, and updates for smartphones and tablets -- these should be installed as well.

Here is the bottom line: We will likely be living with some vulnerability for some time, but, you can still protect yourself as much as possible by keeping your devices up to date - which is advice that should have been followed before the present bug discovery, and should be followed afterwards as well.