The CyberWire Daily Podcast 1.16.20
Ep 1005 | 1.16.20

Curveball proofs-of-concept. CISA warns chemical industry. Military families harassed online. Phishing the UN. Fleeceware in the Play Store. Moscow says there was no Burisma hack.

Transcript

Dave Bittner: [00:00:00] Hey, everybody. Dave here. We here at the CyberWire are excited to announce our new subscription program, CyberWire Pro. That'll be coming out in early 2020. For those whose interests and responsibilities lead them to be concerned with cybersecurity, CyberWire Pro is an independent news service you can depend on to stay informed and to save you time. This offer includes such valuable content as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much more. And you can rely on us to separate the signal from the noise. Sign up to be one of the first in the know about the CyberWire Pro release at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out. 

Dave Bittner: [00:00:49]  Proof-of-concept exploits for the CryptoAPI vulnerability Microsoft patched this week have been released. CISA warns the chemical industry to look to its security during this period of what the agency calls heightened geopolitical tension. Families of deployed US soldiers receive threats via social media. Someone's been phishing in Turtle Bay. More fleeceware turns up in the Play Store. And Moscow heaps scorn on anyone who thinks they hacked Burisma. 

Dave Bittner: [00:01:22]  And now a word from our sponsor, PrivacyGuard. By now, you might have heard of the scary stats of how many times identity theft happens and of data breaches happening to big companies, companies that you might have done business with. But PrivacyGuard members can have more peace of mind. PrivacyGuard takes privacy personal. Protecting your privacy means protecting the integrity of your name, your reputation and your identity. PrivacyGuard is a comprehensive, personalized privacy protection service that helps protect you from identity theft. PrivacyGuard's public and dark web scanning will keep an eye on your private information. Plus, with PrivacyGuard's 24/7 triple-bureau credit monitoring, you can be alerted if a certain change to your credit score occurs, which could be an indication of identity theft. Your identity and privacy belong to you. PrivacyGuard works to help keep it that way. To learn more, go to privacyguard.com. That's privacyguard.com. And we thank PrivacyGuard for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee - the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:02:54]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, January 16, 2020. CRN offers a rundown of opinion to the effect that reaction to CVE-2020-0601 has been overblown. And to be sure, the NSA-disclosed Windows crypto flaw is not apocalyptic. But it's nonetheless one that should be patched without delay. Some of those reactions seem to come down to, well, if this bug is as serious as NSA says it is, then why did NSA tell everyone about it instead of quietly putting it to use? So OK. Persist in Fort Meade skepticism if you must. But don't disregard the common-sense precaution of patching the flaw. Microsoft classed the vulnerability as important, even though Redmond had seen no sign of its exploitation in the wild. Such exploitation has grown likelier. ZDNet reports that two proof-of-concept exploits of the CryptoAPI bug have already appeared. And they add that the vulnerability is now being called Curveball. Others following researcher Kenn White refer to the vulnerability as "Chain of Fools." We'll stick with Curveball, provisionally. 

Dave Bittner: [00:04:09]  The first Curveball exploit was posted to GitHub by researchers from Kudelski Security. It's a spoofing exploit that takes advantage of the way elliptic curve cryptography was implemented in crypt32.dll. As Kudelski explains it in their blog, quote, "we have been able to sign a certificate with arbitrary domain name and subject alternative names. And it will be recognized by Windows CryptoAPI as being a trusted certificate" - end quote. The second proof of concept was placed on GitHub by Danish security researcher Ollypwn. It, too, presents a method of spoofing certificates. The upshot of this is twofold. First, the proofs of concept virtually ensure, as ZDNet puts it, that the vulnerability will be exploited in the wild. And second - this should be obvious - do apply the patch. 

Dave Bittner: [00:04:59]  As the US and presumably Iran continue to glare at one another with mutual suspicion in cyberspace, no significant attacks from either side have come to public attention. But the US Cybersecurity and Infrastructure Security Agency, CISA, has cautioned the chemical industry that it could be subject to cyberattack and has offered advice on hardening itself against the threat. The warning is a follow-on to recent alerts during what CISA calls this period of heightened geopolitical tension. CISA doesn't cite specific indicators and warnings. And it hasn't mandated any steps by industry. But the advice the agency is offering the chemical industry would be sound at any time. CISA recommends increased vigilance. It also suggests that industry dust off its reporting procedures and practice its incident response plans. 

Dave Bittner: [00:05:50]  With respect to cyberthreats, CISA recommends that critical information be backed up and stored offline and that industry tests its ability to revert to backups in the event of a cyber incident. It suggests that industry review its cybersecurity risk analysis and offers help to organizations that want it. Now is also a good time for cyber awareness training and a particularly good time to look for and change any default passwords that may have been left in the enterprise. Patches should be brought up to date. And both IT networks and industrial control systems should be scanned for signs of vulnerabilities and malicious activity. It would be good to update application whitelists and review accounts to ensure that they be given the least privilege necessary. And finally, both incident response and business continuity plans should be reviewed and updated where necessary. 

Dave Bittner: [00:06:41]  There are countless options out there these days when it comes to cybersecurity tools. And everyone says their tool is, of course, the best. It can be impractical and daunting to wade through all of the available offerings. The folks at AVANT rely on a network of what they call trusted advisers to help organizations navigate the field. Ron Hayman is chief cloud officer and COO at AVANT. 

Ron Hayman: [00:07:05]  So a trusted adviser, when they come and work with you, they represent about 300 providers. Now, obviously, not all of them will be security. But they have a portfolio of providers. And what we like about this process is they can help you ethically pit the industry against itself and find the very best provider for you. And the trusted adviser has access to - in the case of AVANT's engineers, which we have 12 of. And then they also have access to the engineering staff of the different service providers. And so they're able to essentially do an RFP, get all the requirements and then leverage our engineering team to figure out what the best two or three providers are that are laser-focused in that particular area. And then we bring them hand in hand with a trusted adviser to the customer. And we let them pick out who they think is the best fit for them culturally or maybe based on price or whatever it is that's making them make that buying decision. 

Dave Bittner: [00:08:05]  I'm imagining that this could be particularly helpful to small and medium-sized businesses. Is that an accurate assessment? 

Ron Hayman: [00:08:12]  Yes, it is. It's an underserved market, small and medium, especially when it comes to cyber and just IT in general. And so we've seen a pretty big MSP movement. But more important than the MSP movement is the managed security service provider movement because that is something that these small and medium businesses can no longer afford to ignore. Companies go out of business when they're without mail for a matter of days. And we're seeing intellectual property and other things that are really important to the company and the brand image be at risk more consistently. You've seen what's happened with the ransomware. 

Ron Hayman: [00:08:51]  It's been in the news a lot, especially in local municipalities and state and federal government. But that's also happening quite a bit in companies as well. And when they lose access to their data, to their intellectual property, to all the things that give them what they need to go out and do business, you can imagine, you know, that you're really putting that company at risk. So definitely small and medium businesses will benefit from having access to these service providers. 

Dave Bittner: [00:09:21]  It sounds like an interesting value proposition for sure. As someone who would engage with one of these trusted advisers, how am I guaranteed that they're looking out for my best interest and not the folks on the other side of the equation, the folks who are providing the services? 

Ron Hayman: [00:09:37]  Yeah, so that's a good question. And I think you always have to make sure that whoever you're working with is a true partner, a true trusted adviser. And you know, trusted advisers, a lot of times, the reason why they're there is because they have a really good relationship with the buyer. And they want to have a long-term - you know, they want to have a long-term relationship with them. So they're there for the right reason, at least the ones that we work with. And they're incentivized to try and help make the best possible decision for that customer because if the customer wins, then they win. And ultimately, they get more business. 

Dave Bittner: [00:10:14]  That's Ron Hayman from AVANT. 

Dave Bittner: [00:10:18]  According to Threatpost and BleepingComputer, Cofense researchers determined that the United Nations sustained a phishing campaign designed to deliver Emotet and the TrickBot Trojan. The campaign, which apparently was less than fully successful, used emails spoofing the Norwegian mission to deliver a malicious word document. Sophos finds more fleeceware apps in Google's Play Store. Fleeceware automatically charges subscription fees if the user neglects to cancel when a trial period expires. And users often find that breaking up is hard to do. As the noted American philosopher Mr. Tom Waits put it in another context, the large print giveth, and the small print taketh away. 

Dave Bittner: [00:11:00]  And finally, Moscow has delivered the usual informational counter-battery fire in the Burisma hacking case. Sputnik, a reliable Kremlin mouthpiece, pooh-poohs the whole episode as a self-serving conspiracy theory launched by Hillary Clinton, or so says Sputnik. The style of their debunking is worth noting. It's tabloid-esque, quoting tweets from people represented as being ordinary patriotic Americans who have wised up to Ms. Clinton. The tweets are a fair representation of the kind of one-line zingers Twitter is structured to favor. But they don't really amount to what you'd call an argument. Ukraine's interior ministry isn't so dismissive. They've asked the FBI for assistance in their own investigation of the Burisma incident. 

Dave Bittner: [00:11:50]  And now a word from our sponsor, LastPass. LastPass is an award-winning security solution that helps millions of individuals and over 61,000 organizations navigate their online lives easily and securely. Businesses can maximize productivity while still maintaining effortless, strong security with LastPass. Each entry point in your organization can compromise your business' security. LastPass Identity can minimize risk and give your IT team a breakthrough integrated single sign-on password management and multifactor authentication. LastPass Identity enables you to manage and control user access for all access points in your organization, add an additional layer of security to every single login through multifactor authentication, securely authenticate into your work using biometrics such as fingerprint or face, deliver a passwordless login experience for your employees while securing every password in use through enterprise password management and gain an integrated view across all access and authentication tasks to know which employees are accessing what, when and where. To learn more, visit lastpass.com. That's lastpass.com. And we thank LastPass for sponsoring our show. 

Dave Bittner: [00:13:16]  And I'm pleased to be joined once again by Craig Williams. He's the director of Talos Outreach at Cisco. Craig, always great to have you back. You all recently published a report here. It's titled "How Adversaries Use Politics for Compromise." Take us through what's going on here. 

Craig Williams: [00:13:32]  What's one thing that's in common for most attacks that target the user, right? I think if we sit back - and let's look at this objectively. And then we'll dive into why politics are being used. But if you look at how users are targeted, particularly around the holidays, there tend to be certain things, right? If we look at the specific vectors, we'll see things like lottery-type activity. We'll see deals. We'll see things around coupons. We'll potentially see things around, like, urgent, right? Like, urgent - click here. You may have won a million dollars. Or urgent - click here, you know, to download your free copy of "Star Wars: Episode - whatever." 

Dave Bittner: [00:14:11]  Yeah. 

Craig Williams: [00:14:11]  I'm a huge fan, honestly. 

Dave Bittner: [00:14:12]  That would work on me. 

Craig Williams: [00:14:13]  Yeah. And you know - and so what they all have in common is they want people to respond emotionally. 

Dave Bittner: [00:14:21]  Right. 

Craig Williams: [00:14:22]  Right? And they want people to respond in a way that they're just going to click without thinking about it. You know, it's a lot like gambling, right? If you look at the way gambling works in successful machines, they don't just say, you won or lose. They want to imply you may have lost but you just lost, right? Like, look at the spinner dial. It's right next to the win sign. That's how close you came. And you know, give you that feeling of, oh, well, if I just try one more time, I'm going to get it, right? 

Dave Bittner: [00:14:50]  Right. 

Craig Williams: [00:14:50]  And so that's the kind of response these scammers want. They want someone to not think about it, to not think logically, to take all these lessons that we've learned - right? If it's too good to be true, it probably is. 

Dave Bittner: [00:15:03]  Right. 

Craig Williams: [00:15:03]  Check the URL before you click on it. They don't want you to think about that. They want you to think, oh, whoa, that's somebody wrong on the internet or that's something I need to win and quick. 

Dave Bittner: [00:15:13]  (Laughter) Right. Wind me up. Yeah. 

Craig Williams: [00:15:15]  Right. And so if we look at things that wind people up, say, you know, hypothetically, this last quarter, there might be, I don't know, one or two political things. 

Dave Bittner: [00:15:26]  No. 

Craig Williams: [00:15:26]  Yeah, I mean, maybe. 

Dave Bittner: [00:15:29]  Really? Yeah. 

Craig Williams: [00:15:29]  You know what? 

Dave Bittner: [00:15:30]  All right. 

Craig Williams: [00:15:30]  I think I saw something on the news. 

Dave Bittner: [00:15:32]  We'll go with a hypothetical. Proceed. 

Craig Williams: [00:15:34]  Yes. And so the natural evolution to this was to basically target politics. And so we started looking around at different malware campaigns that had political drivers. And what we found was just a truly astonishing number in both variety and amount. And the variety we saw was absolutely stunning and absolutely hilarious. (Laughter) I don't know if you've had a chance to look at the post, but we had a dancing Hillary. We had a... 

Dave Bittner: [00:16:11]  (Laughter). 

Craig Williams: [00:16:11]  ...Winking Putin. We, of course, had a truly astounding amount with negative commentary and implications around the US president. 

Dave Bittner: [00:16:20]  Right. 

Craig Williams: [00:16:21]  It's very strange why they would do that. 

Dave Bittner: [00:16:23]  (Laughter) Well, there's something for everyone here, right? 

Craig Williams: [00:16:25]  Absolutely. 

Dave Bittner: [00:16:28]  No matter your political persuasion.... 

Craig Williams: [00:16:29]  Yeah. 

Dave Bittner: [00:16:30]  ...There's something to... 

Craig Williams: [00:16:30]  If you're a Russian agent, if you're - (laughter)... 

Dave Bittner: [00:16:33]  Yeah, something to get your motor running. 

Craig Williams: [00:16:35]  Right. And so that's exactly the goal, right? The goal is not to actually exchange political discourse, which is what every, you know, non-technical American might want to do, right? They see their political opponent, and they immediately want to explain to you, hey, something's wrong on the internet, right? We all know... 

Dave Bittner: [00:16:53]  Yeah. 

Craig Williams: [00:16:53]  ...The famous "xkcd" comic. Well, that feeling is a thing. We all have felt that, right? I mean, how many times have you been sitting there in public and someone says something silly like, I don't run antivirus for my computer. I don't believe in vaccines. And, like, your eye just starts to twitch... 

Dave Bittner: [00:17:12]  Right. 

Craig Williams: [00:17:13]  ...You know, involuntarily and... 

Dave Bittner: [00:17:15]  Right. 

Craig Williams: [00:17:15]  ...Beads of sweat. 

Dave Bittner: [00:17:15]  For you, that's a trigger warning, right? Yeah. 

0:17:17:(LAUGHTER) 

Craig Williams: [00:17:20]  But... 

Dave Bittner: [00:17:20]  Your wife says, just step away, Craig. Just step away. 

Craig Williams: [00:17:22]  Yeah. Or she'll change the subject. She'd be like, so, do you want to take me to the gun range later? I mean, well, I guess. But - so it's things like that, that they want to respond - they want to have people respond emotionally so they don't follow best practices. And the reality is that type of thought process is involved as often, I think, as the deal process, you know - right? - like the gambling process, basically. I think they're very similar and they're probably connected at some psychological level that I don't know about because I didn't pursue that level of education. So if anybody out there has any, I'd the debate it on Twitter. 

Dave Bittner: [00:17:59]  (Laughter) Of course, because that's where the best debates happen. 

Craig Williams: [00:18:02]  You know, it's Twitter or Reddit. That's where you go for fun debates (laughter)... 

Dave Bittner: [00:18:06]  Right, right. 

Craig Williams: [00:18:06]  ...Where everyone's right and, you know, only downvote everybody you disagree with. 

Dave Bittner: [00:18:10]  Now, what you are recommending to protect yourself against this sort of thing when we're dealing with human emotional components? 

Craig Williams: [00:18:17]  Well - so that's a really great question. And I think it comes down to, you know, one of the things that we probably say a lot - and so I'll explain the different levels to it. But the first one is - right? - you've got to have a layered defense, right? Like anything else, there's not going to be one magic bullet. So I would say the easiest layers are, you know, have something like a content blocker in place. And so if you don't want to pay for one through an antivirus, you know, you can use our free open DNS service. You could use Google's safe browsing service, something to take off that, like, highest layer of long-term lazy attacker, right? So let's knock out, like, this 75% and then have something a little bit more advanced, maybe something like, you know, an anti-spam solution, an email security plan or web security that knocks out that second level of more dynamic content - right? - those type of ads or pop-ups, looks at file attachments - right? - some sort of advanced malware protection system, like an antivirus engine, be it, you know, ours or somebody else's, just something out there to knock down those known binaries. And that'll cover you, you know, a pretty reasonable amount just between those three. 

Craig Williams: [00:19:24]  And I think, you know, the last one is really going to be - you know, I hate to say this, but it's user education. You've got to have people learn self-control. And I know, on the internet, that's much easier said than done. But the thing is, people are constantly targeting the user. They're going to find a way to spin you up. Absolutely. It's going to happen. If it's not politics, maybe it's religion. Maybe it's gun control. Maybe it's health care. 

Dave Bittner: [00:19:48]  Yeah. 

Craig Williams: [00:19:49]  But they will find a way to spin you up. And you've got to sit back and realize, I'm being manipulated, right? 

Dave Bittner: [00:19:54]  Right. 

Craig Williams: [00:19:55]  I think most adults would realize if that was happening in person. And they would realize, look, I don't need to engage with this person. I don't know them. They don't matter in my life. I'm not voting here, right? 

Dave Bittner: [00:20:05]  Yeah, right. 

Craig Williams: [00:20:06]  I should just go on my way and get to work or whatever they're doing. And people have got to take that life lesson that they've learned in person and apply it to the online world. 

Dave Bittner: [00:20:15]  Yeah, keep that top of mind. 

Craig Williams: [00:20:17]  And it's especially true on social media. I mean, people forget, but that's really what social media is, is you're basically in public, looking at other people's discussions and conversations. And you can chime in or not. And a lot of the time, or not is probably the wisest decision. 

Dave Bittner: [00:20:32]  Yeah. The post is titled "How Adversaries Use Politics for Compromise." Craig Williams, thanks for joining us. 

Craig Williams: [00:20:39]  Thank you. 

Dave Bittner: [00:20:45]  And that's the CyberWire. For links to all of today's stories, check out our daily news brief at thecyberwire.com. 

Dave Bittner: [00:20:51]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company the leading insider threat management platform. Learn more at observeit.com 

Dave Bittner: [00:21:02]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, Sammy the Wonder Dog (ph), and I'm Dave Bittner. Thanks for listening.