Disclosure, patching, and warning. Norway takes on “out-of-control” data sharing by dating apps. Ransomware all-in on doxing. What to do about Huawei.
Dave Bittner: [00:00:04] NSA gives Microsoft a heads-up about a Windows vulnerability, and CISA is right behind them with instructions for federal civilian agencies and advice for everyone else. Norway's Consumer Council finds that dating apps are out of control with the way they share data. Ransomware goes all-in for doxing. The US pushes the UK on Huawei as Washington prepares further restrictions on the Chinese companies. And think twice before you book that alt-coin conference in Pyongyang.
Dave Bittner: [00:00:40] And now a word from our sponsor PrivacyGuard. By now, you might've heard of the scary stats of how many times identity theft happens and of data breaches happening to big companies - companies that you might've done business with. But PrivacyGuard members can have more peace of mind. PrivacyGuard takes privacy personal. Protecting your privacy means protecting the integrity of your name, your reputation and your identity. PrivacyGuard is a comprehensive, personalized privacy protection service that helps protect you from identity theft. PrivacyGuard's public and dark web scanning will keep an eye on your private information. Plus, with PrivacyGuard's 24/7 triple-bureau credit monitoring, you can be alerted if a certain change to your credit score occurs, which could be an indication of identity theft. Your identity and privacy belong to you. PrivacyGuard works to help keep it that way. To learn more, go to privacyguard.com. That's privacyguard.com. And we thank PrivacyGuard for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:02:12] Back at our CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, January 15, 2020. It's good to be home.
Dave Bittner: [00:02:22] Microsoft's fix for Windows CryptoAPI, issued yesterday with credit to the National Security Agency for telling Microsoft about the vulnerability, prompted an emergency directive from the Department of Homeland Security's Cybersecurity and Infrastructure Security directorate. That's CISA. Federal agencies are expected to patch promptly, in accordance with Emergency Directive 20-02. So the US government is clearly putting its money where its disclosures are.
Dave Bittner: [00:02:51] As CISA blogged yesterday morning, quote, "the most important thing you can do for your cybersecurity is to update your software. And if you're a Windows user, today is your day," end quote. CISA looks after, roughly speaking, the dot-gov domain, with responsibility for federal agencies other than the Department of Defense, which has the dot-mil domain, and certain national security systems. Affected agencies have 10 days to apply the patch, and the statutory boilerplate surrounding the emergency directive should be sufficiently intimidating to spur even the most laggard agency CIO into action. CISA says that it hopes state and local governments, private sector organizations and the general public will also patch quickly, although, of course, it has no jurisdiction over them.
Dave Bittner: [00:03:40] The Washington Post sees NSA's disclosure as representing a departure in policy. And, indeed, the agency's Cybersecurity Directorate head, Anne Neuberger, did say that it was a change in approach. A number of observers have commented to the effect that NSA was now on its best behavior, playing nice by disclosing bugs rather than weaponizing them. But the real change in approach was NSA's decision to allow its disclosure to be made public. It has disclosed vulnerabilities before, but there's a new openness to its process.
Dave Bittner: [00:04:13] CISA was ready with its own warnings and directions on the vulnerabilities patched yesterday, which suggests that the cross-agency coordination between NSA's Cybersecurity Directorate and their counterparts in the Department of Homeland Security is functioning in this early test case. Both organizations are young, CISA having been established on November 16, 2018, and NSA's Cybersecurity Directorate at the beginning of this past October, so the way cooperation between them evolves will be worth watching.
Dave Bittner: [00:04:44] The Norwegian Consumer Council determined that several dating apps are collecting users' personal data and sharing them with various advertising networks. The Telegraph says the dating apps include Tinder, Grindr and OkCupid. Among the advertising outfits are Google, Facebook and Twitter. The Norwegian Consumer Council is filing formal complaints against Grindr and five companies with whom the dating app was oversharing - Twitter's MoPub, AT&T's AppNexus, OpenX, AdColony and Smaato.
Dave Bittner: [00:05:17] The action is being taken under the European General Data Protection Regulation, GDPR, which prohibits collection of personal data without the affected person's explicit consent. Reports suggest that the data collected include such sensitive categories as sexual preference and ethnicity and that Grindr, at least, was also sharing geolocation, the better for its commercial partners to serve up advertising, piping hot.
Dave Bittner: [00:05:43] The companies named in the Consumer Council's action appear to represent the more egregious data abusers, but the council is not at all measured in the way it characterizes the problem. It's out of control, they say, and given the companies involved, it seems a lead-pipe cinch that data are flowing through some unanticipated and probably little-tracked advertising channels.
Dave Bittner: [00:06:06] Ransomware operators are increasingly showing a disposition to turn to doxing as an incentive to get victims to pony up. If data are simply encrypted, then well-prepared victims who've backed their files up securely in places inaccessible to the attackers can, at some relatively small trouble and expense, restore their systems and plug the holes that let the attackers in. And then, of course, they can cheerfully thumb their nose at the extortionist.
Dave Bittner: [00:06:32] Things are more complicated when the attackers take the trouble to steal data before they encrypt it, and that's recently become the norm in this corner of the underworld. The gang behind Nemty ransomware intends, according to Bleeping Computer, to follow the example of Maze and Sodinokibi by setting up a site on which it can dump files stolen from victims who are laggard in paying the ransom. It's also interesting to see the criminal-to-criminal market behaving in ways that mimic legitimate markets. Nemty's basically put out a launch announcement.
Dave Bittner: [00:07:05] We checked in with the Chertoff Group's Chris Duvall for his insights on the state of ransomware.
Chris Duvall: [00:07:11] We're thinking 2020 is going to be, you know, another banner year for ransomware, you know, potentially even worse than previous, for a couple of different reasons. The bad guys are discovering that it's a lot easier just to fire and forget. You can put in a string of IP address ranges to look for vulnerabilities. You can do automated sort of phishing tests. And so being able do that kind of high-output automation is just going to increase the number of potential vulnerabilities they discover and then can be exploited, is one factor.
Chris Duvall: [00:07:42] The other factor is while there's been improvements in kind of not only the attention paid to ransomware due to, you know, media reporting and just general, you know, folks trying to lock down better security procedures, it's making the - sort of the adversary more wary and so almost more desperate. So, you know, those that may see this sort of lucrative stream potentially drying up are going to try even harder to sort of find, you know, those vulnerabilities and those big fish and exploit them.
Dave Bittner: [00:08:11] In the conversations that you're having, do you feel as though the word is getting out that people are starting to implement things like multifactor authentication and doing their backups? Are you getting that feedback from them that that message is reaching them?
Chris Duvall: [00:08:26] It is. It is. I mean, but it's a - you know, as you know, it's a constant challenge. As the saying goes, the bad guys only have to get it right once; the good guys have to get it right every time. And so being able to lock down both any potential vulnerabilities across your entire kind of landscape, making sure that your employees are knowledgeable about what to look for and what not to look for and what links to click on and not to click on, all those things are - it's a constant sort of expediential problem, depending on how large your organization is.
Dave Bittner: [00:08:54] How about in the boardroom? Are those folks, at those levels in organizations, what's their relationship to this? Are they seeing this as the hazard that perhaps it is?
Chris Duvall: [00:09:05] That's a great question. I think that is one of the biggest improvements that we've seen, particularly in 2019 is - you know, end of '18, into '19 - and we're hoping will continue into 2020, which is the attention that the board is paying to security and to cybersecurity. And so there's no longer, at least it seems to be less so, a conversation about, OK, do we have things locked down? And if not, what new tool do you need? But, really, more of an honest conversation with the chief information security officer about what types of breaches or, you know, what types of attempts of breaches have we seen? You know, what have we been doing about them? What's our return on investment? And so that conversation at the board level appears to be increasing, which is very encouraging.
Dave Bittner: [00:09:44] But what about the human side of this? I'm thinking of, you know, security awareness training in organizations, getting beyond the necessary technical elements that an organization should have, but also helping your employees to recognize things like phishing campaigns.
Chris Duvall: [00:10:00] It's crucial. I mean, it's one of those things that any organization has to have the - you know, if you just think about it mathematically, if you have a 2,000-person organization and if you have a 20% click rate, I mean, all that's - that's, you know, 200 folks that have clicked on a potentially malicious link that may have access to the system. So being able to reduce or being able to educate your workforce to sort of recognize when something seems fishy and to notify is key. And employees are the first line of defense. If you don't have that, then most of the other security procedures you're going to take are just kind of, you know, putting your fingers in the holes in the dam.
Dave Bittner: [00:10:41] Right. Right. Yeah, it's an interesting thing because simultaneous to that, the availability of sophisticated tools for perhaps less sophisticated users, and then you put that up against the idea that we've heard a lot about, that the targeting has grown much more sophisticated, that there are a lot of actors out there who are doing their homework when it comes to ransomware, that are - particularly with things like phishing campaigns, you know, they - it's not so much of a shotgun sort of spray-and-pray approach, perhaps as it was in the past. Does that align with what you're seeing?
Chris Duvall: [00:11:15] Absolutely. No, there probably isn't a day that doesn't go by where we don't, in our cyber practice area, get together and sort of have printed out, you know, an email that we receive that looks genuine, like from our CEO Chad Sweet or from the secretary. So the sophistication and the targeting has really increased over the last year in particular.
Dave Bittner: [00:11:36] That's Chris Duvall from the Chertoff Group.
Dave Bittner: [00:11:39] As the UK nears a decision on Huawei and its potential role in the nation's 5G, The Guardian reports that her majesty's government has already taken into account the most recent US revelations and that it seems likely to conclude that any risk associated with Huawei is manageable. The US has warned that too much Huawei in the infrastructure could force the American services to constrain the way they share intelligence with their British counterparts. But the head of MI5, Andrew Parker, has told the Financial Times that he thinks the special relationship is too long-standing, too close and too special for matters to go that far. That said, there's no denying that the US has been both assertive and consistent on the risks posed by Huawei.
Dave Bittner: [00:12:25] Back on this side of the Atlantic, the US Federal Communications Commission seems ready to expand its ban on both Huawei and ZTE gear, JDSupra says. That's a demand-side measure, and according to CNBC, the US Commerce Department is considering stronger supply-side measures against the Chinese firms, with tighter export controls against them under consideration. Those controls would have an impact on third countries as well.
Dave Bittner: [00:12:53] We've just returned from a trip to a conference in Seattle, and like many of you, we're now looking ahead to a trip to San Francisco, since the RSA Conference is just around the corner. But let's say you, friend, are interested in mixing it up. You've heard about those cryptocurrencies, sister, and those blockchains, brother, and you're ready to learn from the best and swap some ideas with other movers and shakers in the fast-moving world of alt-coins and the wallets they flow through.
Dave Bittner: [00:13:21] Well, ever been to Pyongyang? Neither have we. But the 2020 Pyongyang Blockchain and Cryptocurrency Conference will meet at the Sci Tech Complex between February 22 and 29, ending on Leap Day - and how often can that happen? We know - every four years. But how can you pass this one up?
Dave Bittner: [00:13:41] The answer to that would be yes, yes, yes, yes, indeed. No matter how much you've always wanted to party with the Lazarus Group, do pass this one up. But don't just take our word for it. Listen to the U.N.'S own experts, who tell Reuters that attending the conference would constitute a violation of international sanctions the civilized world has imposed on the DPRK.
Dave Bittner: [00:14:04] There are plenty of other things to do in late February. You could stay home and watch TV, for example. The XFL will be playing, and that weekend, you could watch the Los Angeles Wildcats take on the New York Guardians or see the St. Louis Battlehawks go toe-to-toe with the Seattle Dragons. Sure, it's not that Super Bowl thing we hear about - which, by the way, we completely lost interest in around 11 p.m. Eastern Time, this past Saturday. But you can take this to the bank - it'll be better than a visit to the gift shop at the Victorious Fatherland Liberation War Museum, and it'll be legal, too.
Dave Bittner: [00:14:45] And now a word from our sponsor LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless, strong security with LastPass. Each entry point in your organization can compromise your business' security. LastPass Identity can minimize risk and give your IT team a breakthrough, integrated single-sign-on password management and multifactor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization, add an additional layer of security to every single login through multifactor authentication, securely authenticate into your work using biometrics - such as fingerprint or face - deliver a passwordless login experience for your employees while securing every password in use through enterprise password management and gain an integrated view across all access and authentication tasks to know which employees are accessing what, when and where. To learn more, visit lastpass.com. That's lastpass.com. And we thank LastPass for sponsoring our show.
Dave Bittner: [00:16:11] And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute, also the host of the ISC's "StormCast" podcast. Johannes, it's always great to have you back. We wanted to touch today on something that you all are looking into. This has to do with some AutoCAD files and some vulnerabilities that have been popping up there. What do you have to share with us today?
Johannes Ullrich: [00:16:31] Yeah. So the bad guys, they are always getting creative and finding new document types to hide malware, typically to bypass filters in your mail servers. So you have filters inspect, for example, Word documents to make there are no macros in them and such. But turns out that AutoCAD files - these are usually using a .dwg extension - well, they're actually the same OLE standard files as Microsoft Office documents, and they can contain pretty much the same Visual Basic for Application macros that you find in Word and Excel.
Johannes Ullrich: [00:17:09] So we have seen a couple of these AutoCAD files being used to attack users. And what's a little bit tricky here is, first of all, you know, AutoCAD is not a commonly installed desktop application. So your targets are a lot more sparse here. But it's usually people in your company that work sort of on your latest, greatest designs on proprietary data that you're trying to protect. So it's certainly a very important target. And I think, you know, that's where these AutoCAD files are really becoming an issue.
Johannes Ullrich: [00:17:48] You may say, hey, I can just filter for AutoCAD files. Yes, you can do that, and definitely, that's something that you should do. It's also a little bit different than - you may have heard occasionally about like, you know, executable code being added to images and such. That's usually just done to infiltrate the code into the organization. You still need some special, usually malicious software to parse this code out of these images. With AutoCAD files, well, if you have AutoCAD already installed, no real malware need it other than this malicious AutoCAD document.
Dave Bittner: [00:18:22] Now, in terms of getting these AutoCAD files to the folks who would then launch them, is this just straightforward kind of phishing sorts of things?
Johannes Ullrich: [00:18:32] Yep. What we have seen so far is pretty much, you know, spear phishing e-mails. Someone receives an e-mail with an attachment telling them, hey, this is new design that I'm working on or whatever. So this is sort of how they usually appear to be distributed. Of course, they could also arrive as a link to a website - maybe if someone sort of finds some open repository of AutoCAD drawings, like of parts and such. They could, of course, use them. Haven't seen that part yet. But this would be - it's a little bit similar to - from a developer's point of view, when you're including libraries and such, a lot of AutoCAD users are using paired libraries and such that, you know, of course, may also include these malicious macros.
Dave Bittner: [00:19:18] And I suppose there's an educational component to this as well. If you've got folks on your staff that are using AutoCAD, put the word out that - perhaps disabling macros or, at the very least, being on the lookout for this sort of thing.
Johannes Ullrich: [00:19:30] Certainly, that's a real good idea. You know, not actually sure if you can disable macros like you can do in Word. With AutoCAD, definitely be on the lookout for it. And, you know, make sure on your mail servers, in your web proxies and such, that you don't forget to inspect those AutoCAD documents. In general, whenever you receive an attachment with an odd extension, it's probably a good idea to quarantine them and, you know, look at it later from a security point of view.
Dave Bittner: [00:20:02] Yeah. All right. Well, Johannes Ullrich, as always, thanks for joining us.
Johannes Ullrich: [00:20:06] Thank you.
Dave Bittner: [00:20:11] And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com.
Dave Bittner: [00:20:18] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company the leading insider threat management platform. Learn more at observeit.com
Dave Bittner: [00:20:28] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing, amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.