A backdoor turns out to be a familiar kind of Telnet implementation (and it was fixed seven years ago in any case). A large database of US household personally identifiable information was found exposed online, but who owned it remains unclear. The US Department of Homeland Security releases a Critical Functions List. ISIS’s sometime Caliph is back online. And piracy streaming is loaded with malware. Who knew? Craig Williams from Cisco Talos on their research into malware markets on Facebook. Guest is Dean Pipes from TetraVX on the root cause of shadow IT.
Dave Bittner: [00:00:03] Vulnerable peer-to-peer software exposes consumer and small business IoT devices to compromise. A hacker says he's hacked automotive GPS trackers all for the good, of course, and could even turn off a car's engine - not, you know, that he would. Sri Lanka warns of the possibility of more violence. And journalists wonder if prior restraint of certain speech might be worth considering. Curating app stores for security and potty-mouth scooters on Brisbane Street.
Dave Bittner: [00:00:36] Time for a message from our sponsor, Bandura Cyber. Are you using threat intelligence, or is threat intelligence using you? Threat intelligence gateways, or TIGs, are an exciting emerging network security technology that take the heavy lifting out of making threat intelligence actionable, operational and useful. TIGs aggregate IP and domain indicators of compromise from an unlimited number of sources, such as DHS, information sharing groups like FS, MS or ONG-ISAC, commercial sources like Webroot or Anomali or even your own internal IOCs from your SIM or TIP. With the need for multiple sources and views of threat intelligence now more important than ever and with existing solutions' limited ability to ingest and block third-party IOCs at scale, TIGs make taking action with massive volumes of threat intelligence easy. Get the definitive guide to this next-generation technology - "Operationalizing Threat Intelligence: an In-Depth Guide to Threat Intelligence Gateways" - at banduracyber.com/cyberwire. A bonus - it's written by our friends at Bandura Cyber. They're the company that started the TIG category. And it's free. Again, that's banduracyber.com/cyberwire. And we thank Bandura Cyber for sponsoring our show.
Dave Bittner: [00:02:00] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 30, 2019. A Bloomberg report of backdoors affecting Huawei-manufactured Vodafone equipment seems to point out, at worst, carelessness and not the malice that backdoor has come to suggest. Huawei denies putting backdoors into the gear, telling ZDNet that this isn't about backdoors at all but rather about old vulnerabilities that were fixed - as the Bloomberg piece mentions - when those vulnerabilities were noticed back in 2011 and 2012. The backdoor is apparently a familiar Telnet issue. In fact, the Vodafone deployment seems to have been a fairly routine Telnet implementation. Vodafone itself was quick to object that it hadn't been done wrong by Huawei. Huawei pointed out, in its own defense, that not only were the vulnerabilities closed years ago - which would make this report more old news than news - but that it was Telnet and that every IT company has faced these issues in one form or another.
Dave Bittner: [00:03:03] We'll quote the Register since their take on the story is clear and memorable. Quote, "characterizing Telnet as a backdoor is a bit like describing your cat flap as an access portal with no physical security features that allows multiple species to pass unhindered through a critical home security layer. In other words, massively over-egging the pudding" - end quote. We're not exactly sure what over-egging a pudding actually means. We think it's probably an English thing, like having spotted dick with your buttered crumpets. But we're pretty sure it involves exaggeration, like trying to sell someone a plastic spoon by calling it not just a utensil but an eating solution. So sure, we've heard stuff like that on trade show floors, so be on the lookout for unnoticed Telnet. We knew someone who once found that a local raccoon was using the cat flap in her side door to backdoor the cat's food dish, then wash his hands and go back about his business. The raccoon didn't over-egg it either. We think some algorithm let him in, but the raccoon's not talking either.
Dave Bittner: [00:04:06] There is much eye-rolling and significant throat-clearing going on in the security sector's Twitterverse, with many of the cyber birdies tweeting that they're reminded of another Bloomberg story not so long ago about hardware backdoor spy devices inserted into the global supply chain by Chinese manufacturers, except that time, no one could seem to find the wee bugs. But Telnet - sure, that's a thing, only it's an old, familiar, known thing. So while many remain deeply suspicious of Huawei, this isn't evidence that the manufacturer is serving as Q for the Chinese Intelligence and Security Services. Forget it, Jake. It's Telnet.
Dave Bittner: [00:04:46] The odd case of a large database holding PII affecting some 80 million U.S. households prompts concerns that identity thieves have already hit some kind of jackpot. vpnMentor, whose researchers discovered the exposure, says no one knows who owns the database, but the data suggest online commerce. The database includes both geolocation and personal data. Among the items are street addresses and latitude and longitude. It also includes full names, ages and dates of birth - and, interestingly, the researchers couldn't find anyone under 40 in the database - gender, marital status, income, whether the individual described is a homeowner and what kind of home they live in. So whoever had the data had some fairly clear demographic interests in a section of the American population. Microsoft this morning said they'd taken down the database and notified its owner, but they haven't said yet who that owner was.
Dave Bittner: [00:05:45] Shadow IT is often described as employees of an organization taking on technical tasks on their own in order to circumvent what they perceive as roadblocks or speed bumps set up by the actual IT team in the name of security. Shadow IT isn't necessarily malicious, but it does come from the inside, which ups its potential for serious consequences.
Dave Bittner: [00:06:07] Dean Pipes is chief innovation architect at TetraVX, a provider of digital workspace collaboration tools.
Dean Pipes: [00:06:14] Businesses want to be able to move their strategic initiatives forward faster. And more and more people are coming in to - even with a business focus in their education and career, they're also bringing with them a large amount of technical expertise, whether it's through their own consumer electronics, their own study. So when IT is not acting in an agile and responsive manner, when IT doesn't provide enough funding to support all of the strategic initiatives, business tends to try to do things on their own.
Dave Bittner: [00:06:45] Yeah, it strikes me that - I suspect a lot of shadow IT happens not out of bad intentions. It's simply people are trying to get their work done, and they want to do it as quickly as possible.
Dean Pipes: [00:06:56] Absolutely. And sometimes they don't understand why an IT department might take a little more time to figure things out. They just dive right into it. Today's cloud-based platforms and technologies have become so much more user-friendly. There's a lot less required technical skill set to set up a new environment.
Dave Bittner: [00:07:14] So what do you suppose are the driving forces between this issue that we're facing here?
Dean Pipes: [00:07:19] It's a conflict between IT governance. That means a variety of different things, right? That means data security or information security. It means controlling access to information even within your own organization. It can also mean, you know, the choice of technology being used to apply to a given platform. There's a lot of technology sprawl that's happened in a lot of application environments, so IT struggles with making sure that where we add this capability it makes sense. It's sustainable. It can grow. But then on the flip side, the business just wants to move forward. People have initiatives that make sense that actually will generate revenue or create a better communication with their clients and retain clients and grow business with existing clients. Therein, I think, lies the conflict.
Dave Bittner: [00:08:07] Yeah, I hear this notion that sometimes IT is considered the department of no. If I go to IT, they're just going to tell me no. I've got work to do, so I'm going to try to solve this problem on my own.
Dean Pipes: [00:08:19] IT is traditionally not out there in the market, understanding how quickly things can change and how many disruptions can be occurring at a given time. Sometimes that answer of not right now or not this year could mean the difference between profitability and growth for an entire organization. So the department of no has to figure out how to say, wait, let's look at this. This could be the department of yes but only within these constraints. IT departments are also traditionally not big risk-takers. Historically, taking big risks in IT has led to everything from system instability to pretty prominent data breaches and regulatory violations, depending on the industry they're in. IT is not going to say fully, 100% yes to something without having studied it. Where I'm going with this is there's a lighter-weight version of how you study this and how you enable a business initiative to move forward without so much scrutiny, without so much heavyweight governance. It's almost like you have to go through and rethink some of your processes and figure out - is there a way we can fast track this?
Dean Pipes: [00:09:21] It's a two-way conversation, though. A business has to come forward with a business case that doesn't have every bell and whistle and every possible solution built into it. It's focused in on the core objectives, the core outcomes that are being sought, so that IT can focus in on the key tools, technologies or approaches that could help the business get there more quickly.
Dave Bittner: [00:09:40] That's Dean Pipes from TetraVX.
Dave Bittner: [00:09:44] U.S. Secretary of State Pompeo said this week that defending U.S. elections against Russian meddling will be a very long game. He warned that Russia will remain a threat to U.S. elections for decades. The U.S. Department of Homeland Security has issued a Critical Functions List describing 55 areas that must be protected from cyberattack. It's a longer and much more comprehensive list than the lists of critical infrastructure that preceded it. But DHS says, plausibly, that it actually represents an opportunity to focus attention on clearly prioritized risks and to see the implications activities in one sector hold for other sectors. And it seems that both cyberattacks narrowly conceived as hacking proper aren't the only cyber risks the new framework will consider. Information operations are also clearly a matter of some concern.
Dave Bittner: [00:10:38] ISIS leader Abu Bakr al-Baghdadi made a rare appearance in the terrorist group's internet channels to promise a worldwide wave of attacks in revenge for the caliphate's extinction in the territories it once controlled. He praised the Sri Lanka murders as the first wave of reprisal. It's noteworthy that its territorial loss and not the massacre of Muslims at prayer in New Zealand last month that gave al-Baghdadi his pretext for reprisal. This is thought to be al-Baghdadi's first appearance online since 2014. He's reclusive, as he well might be, given that he's wanted throughout the civilized world.
Dave Bittner: [00:11:17] And finally, in a dog-bites-man story, Naked Security is pointing out that apps designed to stream pirated content are positively teeming with malware. Among the most common varieties are credential stealers and bot wranglers. Who knew? Well, you knew, right? So stay away from the pirates, mateys - argh.
Dave Bittner: [00:11:45] Now it's time for a few words from our sponsor, BlackBerry Cylance. They're the people who protect our own endpoints here at the CyberWire. And you might consider seeing what BlackBerry Cylance can do for you. You probably know all about legacy antivirus protection. It's very good as far as it goes. But you know what? The bad guys know all about it, too. It will stop the skids. But to keep the savvier hood's hands off your endpoints, BlackBerry Cylance thinks you need something better. Check out the latest version of CylanceOPTICS. It turns every endpoint into its own security operations center. CylanceOPTICS deploys algorithms formed by machine learning to offer not only immediate protection but security that's quick enough to keep up with a threat by watching, learning and acting on systems' behavior and resources. Whether you're worried about advanced malware, commodity hacking or malicious insiders, CylanceOPTICS can help. Visit cylance.com to learn more. And we thank BlackBerry Cylance for sponsoring our show.
Dave Bittner: [00:12:55] And joining me once again is Craig Williams. He's the director of Talos Outreach at Cisco. Craig, It's great to have you back. I wanted to catch up with you. Not long ago, your team published some work that you titled "Hiding in Plain Sight." And this is about some stuff you found on Facebook with criminal groups using Facebook to communicate with each other.
Craig Williams: [00:13:16] Well, this is really the interesting thing about this specific campaign is that really, you know, Facebook's secret sauce - I think a lot of people would agree - is its ability to bring communities together. Now, normally, if that were like, hey, let's go exercise outside or let's go bake muffins - right? - people with those similar interests coming together would be a good thing, right? Everybody wants better muffins and more dog parks and frisbee games, right? Now, the bad thing happens when we have these groups called, like, spam professionals or Learn to Hack, right? And we've got a list of the 74 different groups that we tracked during our investigation in the post. And unfortunately, when someone joins one of these groups, that same core algorithm that would recommend, like, say, other baking groups recommends other groups involved in criminal activity.
Dave Bittner: [00:14:07] (Laughter) Of course it does.
Craig Williams: [00:14:08] Right. And so, you know, it led from people going from, like, a hacking forum, then it would suggest to carding forum, where people can buy and sell stolen credit cards or stolen accounts or even fake IDs. We even saw people conspiring to - well, seemingly conspiring to exchange money, presumably from some sort of criminal enterprise, from one country to the other. Those are really fascinating, especially around the fees involved. You know, people would talk about 30, 40% And we even had a screenshot, I believe, in the blog of someone offering to do up to a million dollars of, I guess, effectively, money laundering.
Dave Bittner: [00:14:46] Now, when I think of these sorts of groups, I immediately go to the dark web. And so I think it sort of raises eyebrows that this was out in the open so front and center. I mean, is this - were these private groups? Was this something that anybody could find with a search on Facebook?
Craig Williams: [00:15:06] Yeah, so that's a great question. You know, unfortunately, this appears to be a movement away from the dark web. You know, and when you think about it, if you're a bad guy trying to sell your hacking tools to unsophisticated users, are they going to be able to find those tools on the dark web? Right. I think chances are, no, right? They're not going to know what the dark web is. They're not going to know how to get there. But what everyone can really do is use Facebook, right? It's very intuitive. Anyone can pick it up and use it. People seem to like the interface. And so when they realize that, you know, hey, this is the number one social media tool in the world potentially, and it's got billions and billions of users, well, that gives them a lot of room to hide in plain sight.
Craig Williams: [00:15:48] You know, the reality is even if 1/10 of 1% of the users on Facebook are, you know, up to criminal activities, that's still going to be a much higher number than we're comfortable with just simply due to the size of the site. And it's going to make it that much harder for them to be discovered, you know. And I want to be clear here - this isn't just a Facebook problem. You know, we see this on every major social media site, right? You know, think back historically. We've seen people doing things like running botnets out of social media sites, you know, using them for C2. And so what it really comes down to is if something's free on the internet, bad guys are going to find a way to abuse it. And the reason they're moving to Facebook to, you know, facilitate these criminal enterprises is due to the way that the algorithm works - that it brings people together, that it will bring them people who want to buy their hacking tools, that it will bring them the people who want to buy those credit card numbers and those account numbers.
Dave Bittner: [00:16:42] Now, what about Facebook's responsibility for oversight here? If I spin up a new group, is there no one looking for what's going on in there? I mean, it seems to me like, you know, there's some things - Facebook wouldn't allow me to spin up a group, you know, full of porn or something like that. So there are some filters in place.
Craig Williams: [00:17:03] Right. And you know, I think every major social media site runs into this problem. And what it really comes down to, you know, and if you look at, like, say, Reddit, Twitter, Facebook, all of them have a reporting functionality. Now, I think the problem is a lot of people aren't reporting these type of groups. They see them, and they just kind of keep going, walking the other way, right? It really comes down to if you see something, say something. You know, click on that report button. Let Facebook know that these groups are up to criminal activity so that they can be taken down. And one of the things I was discussing with some of my teammates was, like, you know, imagine if you were a kid in this day and age, right? You know, the way I got into this business was basically wanting to hack at video games. Right? And so, you know, you can imagine the line between a video game hacking forum and a criminal hacking forum is a very thin one, and it's one that Facebook's algorithms could easily confuse. And so one of the things that concerned me as I looked into this was, what would happen to the impressionable 13-year-old who wanted to cheat at Fortnite and then, all of a sudden, had a system to send out spam campaigns?
Dave Bittner: [00:18:03] Right.
Craig Williams: [00:18:04] Right? I mean, those - at that age, you don't have the best judgment.
Dave Bittner: [00:18:08] Right. And that Facebook, through its algorithms, is sort of laying out this yellow-brick road in front of that kid to say, hey, we see you're interested in Fortnite hacks. Have you considered going into credit card thievery?
Craig Williams: [00:18:23] Right. And so that's why it was so important to us that we take action, that we reached out to Facebook's security team to make sure that these groups were taken down so quickly. And, you know, they were very responsive. They worked with us. So overall, it was a very successful operation. You know, I think this is just something that people need to be aware of. You know, I think if we asked the majority of people who use Facebook - do you think there are criminal users? - most of them would say no. But unfortunately, that's not the world we live in. You know, social media sites are going to be abused just like any other free service on the internet. And so you need to talk to your kids. You need to talk to your family and make sure that they realize, you know, online crime is a real crime. You know, it can have a detrimental impact to your career. It can have an impact to your education. And so you need to be careful online, and you need to be aware of your surroundings and what you're doing.
Dave Bittner: [00:19:10] Well, the report is titled "Hiding in Plain Sight." It's on the Cisco Talos blog. Craig Williams, thanks for joining us.
Dave Bittner: [00:19:21] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:19:34] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our CyberWire editor is John Petrik, social media editor - Jennifer Eiben, technical editor - Chris Russell. Our staff writer is Tim Nodar, executive editor - Peter Kilpe. And I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Pioneered in part with the U.S. Department of Defense, the Bandura Cyber Threat Intelligence Gateway enables organizations of all sizes to fortify their network defenses, automate threat intelligence, and maximize their current security investments. Learn more at banduracyber.com.
Cylance is revolutionizing cybersecurity with products and services that proactively prevent, rather than reactively detect the execution of advanced persistent threats and malware. Learn more at cylance.com.