Dave Bittner: [00:00:00] Hey, everybody. Dave here with a couple of quick announcements before we get to today's show. First of all, we are excited to announce that Alex K. and Adam M. each won a free full conference pass to RSA in San Francisco through our giveaway. Congratulations to Alex and Adam. And thanks to all of you who participated in our survey. Second, I want to remind all of you that we are starting our new subscription program, CyberWire Pro. That's going to be available soon. For anybody who wants to stay on top of developments in cybersecurity, CyberWire Pro is an independent news service that keeps you informed without wasting your time. This new offer includes valuable content such as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much more. As always, you can rely on us to separate the signal from the noise. Sign up to be one of the first in the know about CyberWire Pro. You can find out more at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out.
Dave Bittner: [00:01:05] FireEye offers a summary of current Iranian cyber capabilities. The GAO warns that the Census Bureau still has some cybersecurity work to do before this year's count. Researchers call mobile voting into question. And some observations about why some extortion brings in a bigger haul than its rivals.
Dave Bittner: [00:01:30] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future is the real-time threat intelligence company whose patented technology continuously analyzes the entire web to develop information security intelligence that gives analysts unmatched insight into emerging threats. And when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Recorded Future's Cyber Daily. And if it helps us, we're confident it will help you too. Subscribe today, and stay a step or two ahead of the threat. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. And are you attending RSA Conference 2020 in San Francisco, February 24 through the 28th? Well, don't forget to stop by booth 743 to meet the Recorded Future team in person and pick up a free copy of their new book, "The Threat Intelligence Handbook." Come on by and say hello. And we thank Recorded Future for sponsoring our show.
Dave Bittner: [00:02:40] Funding for this CyberWire podcast is made possible in part by McAfee - security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights.
Dave Bittner: [00:03:05] From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, February 13th, 2020.
Dave Bittner: [00:03:14] Researchers at security firm Cybereason say that hackers associated with Hamas have been phishing rivals in the Palestinian authority. The lure is an attached PDF that carries a backdoor installer. There are two distinct campaigns in progress. The first deploys the Spark backdoor, a known threat in the past year. The other installs a previously unremarked backdoor that Cybereason calls Pierogi. The campaign shows certain similarities with those run by the MoleRATs since 2012. The phishbait was mostly topical news of interest to the region, including stories about U.S. peace plans and the U.S. drone strike that killed the Iranian Quds Force commander Major General Soleimani.
Dave Bittner: [00:03:58] The targets appeared, for the most part, to be Fatah leaders. Fatah is the principal rival of Hamas in the Palestinian territories. While Cybereason stopped short of calling the hacking a Hamas operation, they do draw attention to the similarities with MoleRAT's style, and they do point to the loose affiliation of hackers that have been called the Gaza Cyber Gang and which other researchers, CyberScoop points out, have linked to Hamas. Cybereason's assessment of the quality of the campaigns is that they show considerable thought and ability. The attackers have learned from past mistakes, and they've shown a sophisticated ability to use both homegrown and purchased tools.
Dave Bittner: [00:04:39] With the U.S. and Iran on mutually high alert in cyberspace, FireEye provides an overview of Iranian cyber capabilities. If you are interested in the current state of APT33 - also known as Refined Kitten, Magnallium and Holmium - or APT34 - that is, Helix Kitten - APT35, or Rocket Kitten - APT39 - Chafer - or any of Tehran's other operators, check out their podcast. They cover attacks, influence operations and mitigations.
Dave Bittner: [00:05:13] A U.S. government accountability office assessment warns about aspects of the Census Bureau's preparation for the 2020 U.S. census. While the GAO found the bureau to be working toward an effective count, their study also found that the Census Bureau was having difficulty meeting milestones for IT testing and cybersecurity assessment. The GAO would like to see the Census Bureau implement the cybersecurity recommendations it's received from the Department of Homeland Security over the past two years.
Dave Bittner: [00:05:43] Of particular concern are the possible vulnerabilities of the census to both hacking and disinformation. Federal News Network reports that these worries have prompted concerns in the U.S. House of Representatives that the census could prove to become the Iowa Democratic caucus writ large. Some of those concerns are probably overwrought. For example, the Census Bureau told Congress that it's satisfied that the multiple cloud backups it's arranged lend it sufficient resilience to recover from an attack that affected the data it collects. And the bureau has certainly devoted far more time and attention to development, testing and deployment than the Iowa Democratic Party was able to bring to Shadow's IowaReporterApp. Nevertheless, Congress and the GAO seem likely to keep a close eye on the 2020 census.
Dave Bittner: [00:06:31] CCPA, the California Consumer Privacy Act, went into effect earlier this year. And much like GDPR before it extended beyond the EU, you don't have to be physically located in California to be subject to CCPA. Darren Van Booven is lead principal consultant at Trustwave.
Darren Van Booven: [00:06:50] So right now, the operative date for CCPA was January 1 of this year. However, the latest amendment to CCPA gave the California attorney general an extension to provide implementation guidance or implementation specifications on CCPA - extended that deadline to July 1, I believe it is, or the end of June. So we have this six-month period of time where we have the regulation in place as an operative date, so technically, that is the law of the land. However, the attorney general, at least at this point in time, has released some draft implementing regulations. However, it's still going through a public comment period, and those have not yet been finalized. Attorney general has until the end of June to release the final regulations or the final implementing regulations, but we don't know for sure between now and then when those will occur.
Dave Bittner: [00:07:50] So what sort of recommendations are you making in terms of companies making sure that when things really go into effect and start rolling, that they're going to be ready?
Darren Van Booven: [00:08:02] What I do when looking at compliance and requirements and regulations, I break it down into bite-sized chunks and then work backwards from there. If an organization has to delete, for example, any personal information upon request going back the last 12 months, there are several things behind that requirement. One is, do you know where all of your data sets are? I start there because that's something that a lot of organizations don't have a good handle on. Are you able to identify where the data is that you're collecting, be able to identify the specific data sets that apply, and if you are able to do that, how do you know that when you've received the request to delete the data, that the data is actually all deleted? How do you know the answers to those questions?
Darren Van Booven: [00:08:53] And so kind of from start to finish on that one, when the request comes in, you have to be able to validate the identity of the individual requesting the deletion, and so there are some requirements around that. How do you do that? How do you identify the data sets? How do you make sure that they're deleted and whatnot? And same thing when it comes to just management of the data since organizations have to disclose the categories of information, business purpose all that good stuff about California consumer data - how do you know that you are disclosing all of the information? You have to have a good handle on the data flow in your organization. And so I start there because that's the most complicated piece, is the data management piece.
Dave Bittner: [00:09:36] Has California given any indications of how they're going to go about enforcing this, how hard they're going to come down on people who aren't meeting the regulations?
Darren Van Booven: [00:09:48] That's a good question. And if we look at other requirements that have come out not necessarily at the state level, but perhaps federal, the HIPAA Privacy Rule is an example of this, where, when it first came out, there are requirements for privacy, and there were stated fines and whatnot. It took a little bit of time for organizations - health care organizations to learn how the government is - or HHS is going to enforce HIPAA, how they are going to apply fines. And I think the same thing's going to happen here - is, the actions that the attorney general takes when it comes to enforcement and the fines that get levied and under what circumstances are going to play out over time.
Darren Van Booven: [00:10:28] When taking a look at this from a business perspective, I would err on the side of the attorney general being more stringent or more strict when it comes to enforcement rather than less. That's always a safe assumption. And so paying close attention to the attorney general's implementation guidance will be very key here, making sure that you capture all of those things so that if CCPA applies to you - and let's say you experience a major breach of personal information - that you're able to prove to the attorney general if he or she - I guess at the moment, it's a he - comes knocking on your door and asks you, hey, did you comply with CCPA before this breach happened, that you would be able to demonstrate that. So I would definitely take the enforcement seriously. And CCPA has some pretty significant fines called out in its verbiage for organizations that don't comply. So the intent behind California lawmakers, I think, is definitely for organizations to take this seriously.
Dave Bittner: [00:11:31] That's Darren Van Booven from Trustwave.
Dave Bittner: [00:11:35] Researchers at MIT conclude that Voatz - that's V-O-A-T-Z because of course it is - a mobile voting application that's been adopted by some U.S. counties and one state - West Virginia - especially for the purpose of collecting absentee ballots, is vulnerable to attackers wishing to alter, stop or expose a user's vote. The researchers based their conclusions on reverse engineering of the application. They write, quote, "we find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop or expose a user's vote, including a side-channel attack in which a completely passive network adversary can potentially recover a user's secret ballot. We additionally find that Voatz has a number of privacy issues stemming from their use of third-party services for crucial app functionality. Our findings serve as a concrete illustration of the common wisdom against internet voting and of the importance of transparency to the legitimacy of elections," quote.
Dave Bittner: [00:12:35] The developers of the Voatz app have strongly objected to the research, saying the MIT team used an old version of its product, an Android version that was at least 27 versions old. The MIT researchers, ZDNet reports, maintain that the version they used was still available on Google Play. In any case, Voatz offered two other specific objections. The app the researchers used wasn't connected to the Voatz servers and, had it attempted to do so, would have failed to pass identity and security checks. Finally, the researchers used a conjectured image of vote servers and proceeded on the basis of false assumptions about the way the different components of the company's system interacted.
Dave Bittner: [00:13:17] And finally, IBM X-Force researchers have been looking into sextortion campaigns, and they found that Emotet spam has eclipsed Necurs in its intake of ransom. There are two reasons for this. Emotet tends to hit victims through their work email, whereas Necurs affected mostly webmail accounts. And Emotet users charge their victims in bitcoin, not the less valuable Dashcoin favored by Necurs-using hoods.
Dave Bittner: [00:13:50] And now a word from our sponsor, ObserveIT, a Proofpoint company. The greatest threat to businesses today isn't the outsider trying to get in. It's the people you trust, the ones who already have the keys - your employees, contractors and privileged users. Sixty percent of online attacks are carried out by insiders. To stop these insider threats, you need to see what users are doing before an incident occurs. ObserveIT enables security teams to detect risky user activity, investigate incidents in minutes and effectively respond. With ObserveIT, you'll know the whole story. Get your free trial at observeit.com/cyberwire. That's observeit.com/cyberwire. And we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:14:43] And joining me once again is Johannes Ullrich. He's the dean of research at the SANS Technology Institute, also the host of the ISC "StormCast" podcast. Johannes, it's always great to have you back. I wanted to touch today on some IoT threats. There's some things going on here folks should be aware of, and it goes beyond passwords.
Johannes Ullrich: [00:15:02] Right. You know, a lot of the home IoT security sort of has focused on securing the devices themself. And I guess, you know, it has sort of become a holiday tradition by now that after you unwrap your devices, you set a strong password; maybe you try to figure out how to patch them. But overall, the devices - yes, so there are a lot of problem with devices we have seen, and botnets like Mirai and so take advantage of them. But many of these home devices are behind firewalls and behind NAT, so that makes them a little bit more difficult to attack. A couple years ago, I went to Home Depot and saw one of these cloud-controlled thermostats. It was one of the sort of cheap Nest knockoffs. And you know, first, I thought, hey, cloud-controlled thermostat makes perfect sense - more clouds, I need less AC. But...
Dave Bittner: [00:15:54] (Laughter).
Johannes Ullrich: [00:15:54] That's not really sort of how it work. Because these devices have the same problem with NAT and such, so when I'm on the road and I would like to check on my thermostat, I'm not actually connecting directly to the thermostat. I'm connecting to some kind of cloud service. The thermostat is connecting to some cloud service. And then we use that to sort of exchange messages. Or with cameras, you often have, like, these STON (ph) servers that are sort of used to - for the mobile app and the camera to sort of meet up in some cloud service, and then they negotiate how they can connect directly to each other.
Johannes Ullrich: [00:16:30] And lately, these cloud services have really sort of become a big target because first of all, as a user, you have less control over these cloud services. Yes, you can set up a password, but with my cloud-controlled thermostat, well, it looked good. I had to set up a password to log in with the mobile app. I never had to enter the same password to my thermostat. And the thermostat doesn't even have a keyboard for that. Turns out the thermostat pretty much just used the serial number to authenticate itself to that cloud service.
Dave Bittner: [00:16:59] Oh, interesting.
Johannes Ullrich: [00:17:01] So with cameras, of course, it has become a huge issue with, like, Ring lately and these cameras where attackers use just simple brute forcing of passwords to connect to the cloud components of these cameras and then were able to connect to the camera itself. Yeah, that - it doesn't really matter what password you set up on the camera itself. Well, of course you have to secure your account to - but again, there's much less you can do about this, you know? With a Ring, for example, not protecting you very well against some of these brute forcing or credential stuffing attempts, you can't really do anything about it.
Johannes Ullrich: [00:17:40] Or not just to hit on Ring - another camera manufacturer that's quite popular, Ubiquiti - or UniFi, they're also known under - what's actually nice about them is they rely less on cloud service in the sense that you can buy a fairly cheap little device that you install in your house, and - guess you call it cloud key, so all the data is stored on that device on your premises, which is nice, yeah, so you don't have any issues with your video footage being stored somewhere else. But you still have that problem of being - having to connect to that camera from the outside - so again, to have some STON server in here to facilitate this. And lately, actually, for their wireless access points, they started sending performance data from the wireless access point to their cloud service.
Johannes Ullrich: [00:18:27] Now, you may want to block this. You know, you may not necessarily want things, like, you know what SSIDs you're using, how many devices you have and such being reported back to them. Their advice was, well, just block the connection with firewall. You can do that, you know? Sounded like a great idea, but once you do that, that little process to have running on the access point that tried to reach out to that cloud service actually sort of, you know, went crazy and...
Dave Bittner: [00:18:52] (Laughter).
Johannes Ullrich: [00:18:52] ...Chewed up all of the CPU's cycles on the access point. So that wasn't really a valid solution either. So a lot of these IoT devices have these components where they are reporting back to the cloud, but they're allowing access via a cloud service. And as a user, you have very little control over this. You may not even realize, many cases, what data is, for example, being exfiltrated.
Dave Bittner: [00:19:15] And is this a situation of just sort of buyer beware, that you need to do your homework before you purchase one of these to make sure you know what you're getting yourself into?
Johannes Ullrich: [00:19:24] Yes, it's definitely a buyer-beware thing. I always recommend that if you have a device like this - we just bought it; you realize some of these things just don't look right - return it to the manufacturer. That's really, I think, the only thing that's going to change things here is, if it costs them too much money to sell crap, then maybe they'll fix it and sell a little bit better device and fix it on their back end.
Dave Bittner: [00:19:49] All right. Here's hoping. Johannes Ullrich, thanks for joining us.
Johannes Ullrich: [00:19:52] Thank you.
Dave Bittner: [00:19:57] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And don't forget, you can get the daily briefing as an Alexa flash briefing too.
Dave Bittner: [00:20:08] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:19] The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. See you back here tomorrow.