In today's podcast we hear that Magecart has achieved another library infestation as Feedify is hit. An evil cursor attack is a variant of a familiar tech support scam. The Ramnit banking Trojan seems to be spiking during the summer, and there are various theories as to why this might be so. More Novichok disinformation is out. Safari url spoofing seems more nuisance than serious menace. North Korea denounces the US for a "smear campaign" against the Lazarus Group, which doesn’t exist, either. Joe Carrigan from JHU ISI shares his frustrations with his bank’s insufficient password practices. Guest is Ron Gula, former CEO and co-founder of Tenable Network Security, currently President at Gula Tech Adventures which focuses on investing and advisement of two dozen cyber-security companies.
Dave Bittner: [00:00:03] An Iranian domestic spyware campaign's been reported. It's most interested in ethnic Kurds. A bogus cryptocurrency wallet site's been taken down. F-Secure warns of a widespread firmware problem that could be exploited for cold boot attacks. The BlueBorne Bluetooth bugs are apparently still out there. Tech support scam ads have been taken down. Policies for election security continue to evolve. And Facebook's founder offers some thoughts on how his platform can save democracy.
Dave Bittner: [00:00:41] Time to take a moment to tell you about our sponsor ThreatConnect. With ThreatConnect's in-platform analytics and automation, you'll save your team time while making informed decisions for your security operations and strategy. Find threats, evaluate risk and mitigate harm to your organization. Every day, organizations worldwide leverage the power of ThreatConnect to broaden and deepen their intelligence, validate it, prioritize it and act on it. ThreatConnect offers a suite of products designed for teams of all sizes and maturity levels. Built on the ThreatConnect platform, the products provide adaptability as your organization changes and grows. Want to learn more? Check out their newest research paper entitled, "Building a Threat Intelligence Platform." ThreatConnect surveyed more than 350 cybersecurity decision-makers nationwide. Research findings include best practices and the impact of businesses due to threat intelligence programs and how organizations who have fully mature programs have prevented phishing attacks, ransomware attacks and business email compromise. To check out the research paper, visit threatconnect.com/cyberwire. That's threatconnect.com/cyberwire. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:02:03] Major funding for the CyberWire podcast is provided by Cylance. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, September 13, 2018.
Dave Bittner: [00:02:15] Check Point reports finding an Iranian domestic spyware campaign. Domestic Kitten, as some are calling it for now because Iranian threat actors get names inspired by Persian cats, appears to be targeting ethnic Kurds and Turks. It's also prospecting potential adherents of or recruits to ISIS. The Islamic State, remember, is no friend of the Islamic Republic. The former is Sunni. The latter, Shiite.
Dave Bittner: [00:02:43] Users are baited into downloading the spyware with an offer to install an app likely to be of interest to them. According to The Times of Israel, Kurdish targets were prospected with a spoofed version of ANF, a Kurdish news agency. ISIS prospects were offered jihad-themed wallpaper for their device. Kurdistan 24 reports that the data exfiltrated by the spyware included contact lists, call records, SMS messages, browser history, bookmarks, photos and geolocation. It may also have been able to capture local voice recordings.
Dave Bittner: [00:03:19] Check Point doesn't directly attribute the campaign to the Islamic Republic, but opposition Kurdish leaders aren't reticent at all about doing so. The surveillance campaign coincides with a fresh wave of measures Tehran is taking against unrest among its Kurdish citizens.
Dave Bittner: [00:03:37] Flashpoint has discovered a malicious website that spoofs the Jaxx cryptocurrency wallet site. The bogus site has been taken down. Its goal was looting wallets. Cloudflare took the copycat site down. Flashpoint points out that this is essentially a social engineering attack and doesn't represent any exploitation of any vulnerabilities in the Jaxx site itself. Once the malicious files are installed on a victim's device, they'll watch the clipboard for wallet addresses which are then swapped for an address belonging to a wallet controlled by the attacker.
Dave Bittner: [00:04:12] Cryptocurrencies continue to be off the highs they reached late last year as some realistic skepticism about speculating in altcoin begins to sink in. There is one exception. Quartz reports that Dogecoin, the cryptocurrency that originated as a literal joke and got away from the jokesters, is still soaring.
Dave Bittner: [00:04:34] Organizations are hit with a barrage of marketing messages promising the one true solution to all of your cybersecurity fears. And to be fair, one of the ways we pay the bills here is by sharing some of those advertiser messages with you. Josh Mayfield is director of security strategy at Absolute Software, and he notes the contrast between vendor and security professional messages and emphasizes the importance of staying focused.
Josh Mayfield: [00:05:01] If you're an IT or an IT security professional, you are struggling to keep up. You want to be an enabler for your business and help it proceed up and to the right. However, from the vendor in the security ecosystem, their direction is more troubling, where it is a lot of doom and gloom and a lot of fear mongering. And I don't mean that in a real negative sense, but there's this anticipation of fear. Whereas on the user side, the IT professional and security professional, oftentimes they have ambition toward hope and a utopia that they're trying to strive for.
Josh Mayfield: [00:05:39] And so that interferes sometimes with the way they perceive a given problem. There is an ever-growing need for greater cybersecurity. And what I find is that when organizations are just more disciplined and focused on what needs to be done, they can actually achieve a lot more than chasing this or chasing that.
Dave Bittner: [00:06:01] So let's explore that some. I mean, take us through - what sorts of things do you recommend?
Josh Mayfield: [00:06:06] The real basis of my schtick, I guess, out there is to try to reinvigorate this notion of the foundations, of making certain that our cyber hygiene is as best as it can be. Growing up, my father and grandfather had the saying of an ounce of prevention is worth a pound of cure. And I think a lot of the malware myopia really stems from this hair-trigger patellar reflex that we have with the looming threats that are out there and new ones popping onto the scene every day. And it's so easy to shift our focus over there, but a lot of that can be avoided.
Josh Mayfield: [00:06:44] Ninety-nine percent of successful attacks target specific vulnerabilities that could have been mitigated beforehand. And so if we keep focusing on the latest threat actor out there, I mean, the latest malware strain, we could actually be misdirected where we're looking at one thing and get flanked on the side which we could have fortified.
Dave Bittner: [00:07:06] How much of this, in your estimation, is this notion that I don't have to have a completely impenetrable barrier, but I just have to be less attractive than the next person down the street?
Josh Mayfield: [00:07:19] That's right. Your organization doesn't have to be Fort Knox, and it doesn't have to be impenetrable, to your point. It just needs to - this is a probabilistic exercise. We just need to lower the probability. We need to compress the attack surface. It will never go to zero. We will never get rid of all potential threats. You have something that attackers want - information. So they're going to deploy all that human ingenuity to get to it. But we can reduce their opportunity for that to occur.
Josh Mayfield: [00:07:48] Natural disasters in our current world are still just as prevalent as they've been in human history, but we've been able to mitigate the human catastrophes that stem from natural disasters. We can take the same approach to our cybersecurity. And we can reduce the effects - we can reduce the opportunity for fallout instead of trying to chase things down once they've already hit landfall. I think the things that are going to require a lot of attention is the heterogeneity of everything.
Josh Mayfield: [00:08:21] Once upon a time, to be a user was to be an inside-the-walls employee. To be accessing data meant you were going through a Windows machine. And the applications you used meant you were logging in to CA or SAP or an Oracle system. And this was just commonplace. But with the explosion of cloud applications, cloud infrastructure, virtualization, containers and the heterogeneity of what we're trying to support, even down the hardware of, do you use a Mac? Do you use a Windows PC? Do you use Dell or HP? All of these aspects, really, that's what it comes down to. You have to orchestrate all of this heterogeneity. And that's the main thing I think we're going to have to get our hands around is normalizing all that out there that is not standard.
Dave Bittner: [00:09:11] That's Josh Mayfield from Absolute Software.
Dave Bittner: [00:09:16] F-Secure has found a firmware vulnerability that affects most laptops and desktops. It enables a variety of cold boot attack that exposes encryption keys and other sensitive information. It's a proof of concept and not apparently something being exploited in the wild. One expects the device makers to address the issue as they're able.
Dave Bittner: [00:09:37] Armis reminds everyone that the BlueBorne Bluetooth bugs - a set of 9 bugs - is still out there. A year after its disclosure, patches for BlueBorne are available, but users have lagged in applying them. About 2 billion devices remain vulnerable, Armis estimates.
Dave Bittner: [00:09:54] Microsoft has purged some 3,000 ads for dodgy tech support services that had appeared in association with Redmond's tech net. Many of them were swiftly replaced in altered form, which suggests the difficulties even the most straightforward and uncontroversial forms of content moderation face. Such moderation will become even more important if the copyright protection measures enacted yesterday by the EU have their expected effect.
Dave Bittner: [00:10:21] U.S. President Trump yesterday signed an executive order setting up a process whereby election interference by foreign actors would trigger sanctions. Interference covered by the order includes both hacking and propaganda. The U.S. Congress continues to work on its own measures for dealing with election security. There are at least three bills pending before the Senate, and the House has more than one of its own under consideration.
Dave Bittner: [00:10:47] Facebook founder Mark Zuckerberg, stung by criticism of the centralizing tendencies of Facebook and the success of various actors have had in using it for their political purposes, has just published a long account of how he proposes to go about fixing things. He follows, to a significant extent, the line expressed by Facebook CEO Sandberg at the Senate hearings last week.
Dave Bittner: [00:11:10] The key to making things better is solve the problem of inauthenticity by requiring users to be themselves, that is really be themselves and be who they represent themselves to be. He also thinks that those centralizing tendencies aren't a bad thing. And here, he may find a sympathetic audience. Facebook can do a better job of making things better if it's not broken up and if it gets to hang on to WhatsApp and Instagram. That way, if it finds a particular bad actor in one place, it can remove that bad actor from the others. This is unlikely to mollify those in Congress thinking about asking for antitrust action.
Dave Bittner: [00:11:51] He also defended Facebook's taking of political ads as a moral, rather than a commercial consideration. Ad buys are an important way in which people engage in political discourse, and he's loath to impede free speech. This is unlikely to mollify critics that Facebook's fact checkers tend to display an unseemly and unacknowledged set of biases. Again, in fairness to Facebook, content moderation is an inherently difficult task, even with considerable resources and the best of intentions. Even Soviet power, to take a historical example, couldn't suppress samizdat, the copying and distribution of literature banned by the state.
Dave Bittner: [00:12:32] Zuckerberg's essay is posted - where else? - on Facebook. Read the whole thing, but know that it's 3,200 words long. It reads a bit like an essay by a disillusioned Candide. Mr. Zuckerberg says that, quote, "one of the important lessons I've learned is that when you build services that connect billions of people across countries and cultures, you're going to see all of the good humanity is capable of, and you're also going to see people try to abuse those services in every way possible," end quote. You said it, brother.
Dave Bittner: [00:13:08] And now a bit about our sponsors at VMware. Their Trust Network for Workspace ONE can help you secure your enterprise with tested best practices. They've got eight critical capabilities to help you protect, detect and remediate. A single open platform approach, data loss prevention policies and contextual policies get you started. They'll help you move on to protecting applications, access management and encryption. And they'll round out what they can do for you with microsegmentation and analytics. VMware's white paper on "A Comprehensive Approach to Security Across the Digital Workspace" will take you through the details and much more. You'll find it at thecyberwire.com/vmware. See what Workspace ONE can do for your enterprise security - thecyberwire.com/vmware. And we thank VMware for sponsoring our show.
Dave Bittner: [00:14:08] And joining me once again is Ben Yelin. He's a senior law and policy analyst at the University of Maryland's Center for Health and Homeland Security. Ben, welcome back. We saw some interesting news come by that the District Court of Appeals in Florida has some decisions out about warrantless use of Stingrays. Can you unpack it for us? What's going on here?
Dave Bittner: [00:14:30] Sure. So this is the case at the Florida appeals court level. So it's a state court case in Florida. And the state of Florida ended up catching a murder - - a first-degree murder partially based on evidence obtained through a cell site simulator or a Stingray device. The murderer sought to suppress that evidence, which was not the only piece of evidence in the case, but one of the key pieces of evidence. And the District Court did suppress that evidence. Government appealed to the appellate court. And the appellate court upheld that motion to dismiss. And they did so talking about the privacy concerns inherent and cell site simulators.
Dave Bittner: [00:15:14] And we've seen other cases on this subject in Maryland. We had a state court case that held that the government does need to obtain a warrant for using a Stingray or cell site simulator. What's interesting to me is the reasoning in this case. It's really a fascinating decision. But the judge goes over a number of different relevant legal doctrines that seem to imply that these types of simulators are offensive to our notions of Fourth Amendment privacy.
Dave Bittner: [00:15:44] And in the decision, he talks about how courts upheld the government can't use technology to view information not visible to the naked eye, you know, a long-standing Supreme Court precedent. They can't attach a device to property to monitor your location. That's from a very famous case - United States v. Jones from 2012. They can't search a cellphone in your possession without a warrant. That's Riley v. California, 2014. And they can't get real-time location information from a cellular carrier. That's from United States v. Carpenter, which was decided this year.
Dave Bittner: [00:16:18] What they're saying is, to a certain extent, a cell site simulator does all of those things. And so it would be incongruent to say the government doesn't need a warrant to use this device when that device encapsulates a bunch of these other scenarios where the Supreme Court has declared that we do need a warrant. And part of it is just the extent of the information that's being revealed. This isn't a simple third-party records case where, you know, your phone calls are tracked because the telecommunications company wants to keep billing records.
Dave Bittner: [00:16:50] I mean, as the judge says, I mean, this is the government surreptitiously intercepting a signal that the user intends to send to their cellphone carrier and intercepts - that same device intercepts all different types of other private data. And based on an extensive record of Supreme Court cases, we know that this runs afoul of many Fourth Amendment principles. It's interesting that the decision from Carpenter, which held that the government needs a warrant to obtain cell site location information, is already trickling down to state court decisions in the area of digital privacy. These things happen quickly.
Dave Bittner: [00:17:31] So how does this inform what law enforcement may do going forward from here?
Ben Yelin: [00:17:37] So obviously, for now, the decision only applies in the state of Florida. So it's - at this point, it's still a state-by-state issue. As I said, in Maryland, we've determined that the government needs a warrant. There are other ways that the government could use these devices without getting a warrant if they're able to justify under another warrant exception.
Ben Yelin: [00:17:54] So, for example, if there were exigent circumstances or some sort of threat to public safety, I think the government could still justify using these devices to conduct searches without running afoul of the Fourth Amendment even in the absence of a warrant. But I think we're starting to see at least a mini consensus emerge that because of the threat these devices are to personal privacy and digital privacy, the government is going to have to go through the formal process of going in front of a judge, making the case that they're going to find evidence that's relevant to an ongoing criminal investigation and get a warrant to do the surveillance work.
Ben Yelin: [00:18:32] And, you know, that's how it works with most forms of surveillance. You have to get a warrant to wiretap. You have to get a warrant to enter a person's house. I think because of the invasiveness of this type of search or this type of device, it makes sense that a similar warrant requirement would be the case here.
Dave Bittner: [00:18:52] Ben Yelin, thanks for joining us.
Ben Yelin: [00:18:54] Thank you.
Dave Bittner: [00:18:58] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsors, Cylance. To find out how Cylance can help protect you using artificial intelligence, visit cylance.com. And Cylance is not just a sponsor, we actually use their products to help protect our systems here at the CyberWire.
Dave Bittner: [00:19:17] And thanks to our supporting sponsor, VMware, creators of Workspace ONE Intelligence. Learn more at VMware.com.
Dave Bittner: [00:19:26] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor Jennifer Eiben, technical editor Chris Russell, executive editor Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
With ThreatConnect, security analysts can simultaneously coordinate with incident response, security operations and risk management teams while aggregating data from trusted communities. Your team will be better equipped to protect the organization from modern cyber threats, mitigate risk and address strategic business needs all thorough a single, robust platform. Start Using ThreatConnect Today for Free.
VMware is a global leader in cloud infrastructure and business mobility. Built on VMware's industry-leading virtualization technology, our solutions deliver a new model of IT that is fluid, instant and more secure. Learn more.
Dragos, Inc. is an industrial cybersecurity company focused on protecting infrastructure such as power grids, water sites, manufacturing networks, and oil and gas pipelines. Our Dragos Platform, Threat Operations Center, and Dragos Intelligence team provide the community with the technology, services, and intelligence it needs to safeguard civilization. Learn more at dragos.com.