Dave Bittner: [00:00:00] Hi, everybody. It's Dave. We're happy to announce that our new subscription program, CyberWire Pro, will be available soon. For everyone who wants to stay on top of developments in cybersecurity, CyberWire Pro is an independent news service that keeps you informed without wasting your time. This new offer includes such valuable content as exclusive podcasts and newsletters, exclusive webcasts, thousands of expert interviews and much, much more. As always, you can rely on us to separate the signal from the noise. Sign up to be one of the first in the know about CyberWire Pro at thecyberwire.com/pro. That's thecyberwire.com/pro. Check it out.
Dave Bittner: [00:00:45] The EU condemns Russian cyberattacks on Georgia, and Russia says Russia didn't do it; it's all propaganda. Skids can buy scamming tools for less than $20. Satellite constellations offer an expanding attack surface. Amid continuing worries about U.S. election security, the question of Russian trolling or homegrown American vitriol arises in Nevada - the smart money's on the U.S. of A. FISA reauthorization is coming up. Mr. Assange's extradition. And hello from RSAC 2020.
Dave Bittner: [00:01:23] And now a word from our sponsor, ExtraHop, securing modern enterprises with network detection and response. Security teams today want to say yes to cloud adoption, just like they want to support enterprise IOT and edge computing. But the more complex your architecture, the less you can trust your perimeter to keep threats out. When attackers make it into your environment, you need to be the hunter, not the hunted. ExtraHop helps organizations like Home Depot and Credit Suisse detect threats up to 95% faster with the context they need to act immediately. Visit them at RSA for a full product demo of threat detection and response for cloud, multicloud and hybrid enterprises, or learn more add extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show.
Dave Bittner: [00:02:18] Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning, defend and correct with deep learning, anticipate with artificial intelligence. McAfee, the device-to-cloud cyber security company. Go to mcafee.com/insights.
Dave Bittner: [00:02:44] Coming to you from Broadcast Alley at the RSA Conference in San Francisco, I'm Dave Bittner with your CyberWire summary for Monday, February 24, 2020.
Dave Bittner: [00:02:55] The European Union has joined international condemnation of last October's cyberattack on Georgian websites, according to Eurasia Review. High Representative of the European Union for Foreign Affairs and Security Policy Josep Borrell, the EU's top diplomat, on Friday said, quote, "Georgia was the victim of a targeted cyberattack causing damage to their social and economic infrastructure," end quote. Western intelligence services, notably those of the U.K. and the U.S., have attributed the influence campaign to Russia's GRU. Georgia's government has thanked the EU for the expression of solidarity.
Dave Bittner: [00:03:33] Russia's foreign ministry has denied any involvement in the attack and puts the whole matter down to a coordinated propaganda campaign run from Washington, London, Tbilisi and an unspecified elsewhere. The ministry goes on to deplore Georgia's decision to demonize Russia and just when relations between the two peoples were getting so mutual. But many observers still see Fancy Bear's paw prints all over the caucuses. Note on the apparent misuse of mutual - it's an old Russian trope for solidarity, good feeling and so on.
Dave Bittner: [00:04:07] The commodification of the spamming business continues apace. A Digital Shadow study suggests that minimally skilled criminals are able to enroll in online phishing tutorials for an average tuition of just under $25 and can buy the tools necessary to conduct phishing attacks for less than $20. Criminal masterminds are more myth than reality, but the dark web markets show the power of the black market, its ability to turn a couple of hackerweight of skids into functional Professor Moriarties.
Dave Bittner: [00:04:38] An essay in Science Alert offers some informed speculation about the attack surface the rapidly proliferating internet-delivery satellite constellations present. Of particular note are the mentions of supply chain issues. As commodity components continue to drive down satellite costs, making private sector constellations realistically affordable, some are uneasy about the susceptibility of those components to compromise before they even reach the point of final assembly, still less launch and Earth orbit.
Dave Bittner: [00:05:10] Results from the Nevada Democratic presidential caucus are still being tabulated and have been disputed by former South Bend Mayor Buttigieg's campaign, but Senator Sanders seems the clear winner. The senator suggested twice last week, on grounds of a priori probability, that online nastiness apparently emanated from his supporters might well have been the work of Russian bots. Experts The Daily Beast polled think this is unlikely.
Dave Bittner: [00:05:36] The nastiness that prompted the senator's speculation about Russian trolling involved an intraparty squabble over the Culinary Workers Union and its decision not to endorse Senator Sanders' signature Medicare for All proposal. Attribution is always difficult, but it's worth remembering that America is great in lots of ways, including her ability to generate loudmouth invective at scale and in quantity.
Dave Bittner: [00:06:02] On the question of general election security in the U.S., The Washington Post's stable of experts comes down narrowly on the side of worry, as opposed to reassurance. Fifty-seven percent of The Post's network doubt that U.S. federal, state, and local election officials will be able to render the 2020 election reasonably secure against manipulation or tampering.
Dave Bittner: [00:06:23] The New York Times notes that the Justice Department IG's criticism of 2016 Operation Crossfire Hurricane make it likely that the Foreign Intelligence Surveillance Act will be significantly revised when key provisions expire in mid-March. The inspector general concluded that the FBI's requests for wiretaps during Crossfire Hurricane were flawed, and that had the bureau presented what it knew and ought to have known to the FISA court, it's unlikely that it would have received the warrants it eventually did.
Dave Bittner: [00:06:53] The team at security firm Checkmarx recently published their latest OWASP API Security Top 10 list. Erez Yalon is director of security research at Checkmarx.
Erez Yalon: [00:07:04] So API stands for application programming interface. It's basically an interface or communication protocol between client and server. And we love APIs. APIs make things simpler for us. So when we talk about API security, what we actually mean is the security of API-based apps, or you can even say modern application security because there is no modern application without APIs. So regarding this specific project of API Security Top 10, we started to see here in Checkmarx, where I work - we see a lot of, let's say, mistakes that are happening in code in securities, in software out there. And together with the migration to modern application from traditional applications, we see the area of vulnerability is kind of migrating.
Erez Yalon: [00:08:05] So we see client devices that are becoming more varied and stronger, so the logic moves from the back end to front end. If in the past we knew that clients would be only a web browser, now it can be a browser. It can be a mobile device. It could be a smartwatch, a smart car. It can be a bot. It can be some sort of business microservice. It can be a smart toaster - whatever you can think of, someone probably invented it. And it can be the client of your application.
Erez Yalon: [00:08:37] So there is no single action happening on the server side in sending a prepared page to the client. Now the servers act more as a proxy of sending a lot of raw data to the clients and making sure that the clients knows how to present it to the user according to their abilities. And there are consequences to that. The consequences are that the user state is maintained and monitored by the client. Clients consume raw data, and more parameters are sent. In each HTTP request, we can see object IDs and values and filters and many other things that in the past we did not see passing between server and client in the raw condition. And NPIs expose the underlying implementation of application security. And the current standards, including the OWAS Top 10, are very relevant to more of traditional applications, but they lack - there is a gap when we're looking at modern and API-based applications. And this is the gap that we wanted to bridge when we decided to start this specific project for API security.
Dave Bittner: [00:10:02] That's Erez Yalon from Checkmarx. WikiLeaks impresario Julian Assange's extradition hearings in London continue as the U.S. seeks to persuade the U.K. to send him stateside for trial on charges related to his alleged role in helping then-U.S. Army Specialist Bradley Manning obtain and leak classified information. Mr. Assange is not, the U.S. emphasizes, charged with WikiLeaks' role as a conduit for U.S. Democratic Party emails the U.S. intelligence community concluded were stolen by Russian intelligence services.
Dave Bittner: [00:10:37] And of course, RSAC 2020 is now underway in San Francisco. We'll have updates from the city by the other Bay as we receive them, and yours truly will be podcasting from Broadcast Alley all week. If you're in the neighborhood, stop by, say hello. We've got some stickers, and it'd be great to meet you in person.
Dave Bittner: [00:10:56] Before the conference opened, it felt the effects of concerns about COVID-19, the coronavirus strain that continues to spread from its point of origin in China. Fourteen companies, six of them from China, withdrew from the conference, TechRepublic observed. The three highest-profile cancellations were IBM, AT&T and Verizon. There have been a small number of cases reported in Northern California, according to the San Francisco Chronicle. The San Francisco Department of Public Health is providing updates on its website. Assessing the risk as low, RSAC intends to operate this year much as it always has.
Dave Bittner: [00:11:34] The conference's first big event will, as usual, be the innovation sandbox, the doors to which will open at 1:30 PM Pacific Time today.
Dave Bittner: [00:12:03] And now a word from our sponsor, LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes, one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale the protection to fit their needs, with one integrated software solution requiring no specialty hardware - meet the Aeonik Security Fabric. Learn more at lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass Cyber for sponsoring our show.
Dave Bittner: [00:13:18] And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: [00:13:27] Hi, Dave.
Dave Bittner: [00:13:28] Interesting article came by. This is Motherboard on the Vice website. And it's titled "SIM Swappers are Phishing Telecom Company Employees to Access Internal Tools." Are the SIM swappers upping their game here? What's going on?
Joe Carrigan: [00:13:43] Well, Dave, we have to have some empathy for these SIM swappers.
Dave Bittner: [00:13:45] (Laughter) Oh, do - OK.
Joe Carrigan: [00:13:46] Let's look at it from their perspective.
Dave Bittner: [00:13:49] Right, yeah.
Joe Carrigan: [00:13:51] Let's say I want to swap a SIM.
Dave Bittner: [00:13:52] OK, well, first, why would you want to do that?
Joe Carrigan: [00:13:54] Well, I may want to do that to gain access to someone's cryptocurrency wallet, to gain access to someone's social media accounts or maybe to intercept their SMS-based two-factor authentication.
Dave Bittner: [00:14:07] OK.
Joe Carrigan: [00:14:07] Right.
Dave Bittner: [00:14:07] So basically you're taking over someone's phone number.
Joe Carrigan: [00:14:10] Right.
Dave Bittner: [00:14:10] Yeah.
Joe Carrigan: [00:14:10] And the way I do that is with something called a SIM swap, which is where I change the SIM in the company's system so that the SIM I have is what the company thinks is the legitimate SIM.
Dave Bittner: [00:14:20] Associated with a particular phone number.
Joe Carrigan: [00:14:22] Right. Associated with the account, actually.
Dave Bittner: [00:14:24] Yeah. OK.
Joe Carrigan: [00:14:24] And the phone number. That's right.
Dave Bittner: [00:14:25] Right. Right.
Joe Carrigan: [00:14:26] So now, let's say I log in to my financial website, and I get a text message sent with a code. That code doesn't go to me any longer; it goes to the holder of the new SIM.
Dave Bittner: [00:14:36] Right.
Joe Carrigan: [00:14:36] Right?
Dave Bittner: [00:14:37] Right. OK.
Joe Carrigan: [00:14:38] So as a bad guy, I can call the phone company and I can socially engineer my way into someone's account and say, OK, well, I've got a new SIM card. Here's all the information. Please set it up, right?
Dave Bittner: [00:14:51] Right.
Joe Carrigan: [00:14:51] But then, if I want to do that again, I have to start the process all over, right?
Dave Bittner: [00:14:56] Who has time for that?
Joe Carrigan: [00:14:57] That's very labor intensive. And who has time for that?
Dave Bittner: [00:14:59] (Laughter).
Joe Carrigan: [00:14:59] So what these guys have realized is that it's much more efficient just to gain direct access to the systems that these telecom providers use. One of the systems that Verizon uses is called Omni. It's a - Omni's a customer service tool that helps you manage your customers. But if you have access to an Omni system, you can effectively change the SIM information for any of the customers at Verizon.
Dave Bittner: [00:15:26] And the access to these systems isn't just, for example, at a Verizon store.
Joe Carrigan: [00:15:31] Right.
Dave Bittner: [00:15:31] So their third-party providers would have access to this.
Joe Carrigan: [00:15:34] There are third-party providers out there that have access to the system.
Dave Bittner: [00:15:36] Right.
Joe Carrigan: [00:15:38] And that's kind of important for the business - right? - because Verizon may not want to put locations all over the place and may not want to incur that expense. So they say, you can be a Verizon reseller, right?
Dave Bittner: [00:15:49] Right.
Joe Carrigan: [00:15:49] And we'll give you some cut of whatever revenue. And everybody's happy, right?
Dave Bittner: [00:15:53] Yeah. Yeah.
Joe Carrigan: [00:15:54] It's good American business.
Dave Bittner: [00:15:55] And you need to be able to activate devices.
Joe Carrigan: [00:15:57] Right.
Dave Bittner: [00:15:57] So you need to access to the SIM information.
Joe Carrigan: [00:16:00] Correct.
Dave Bittner: [00:16:01] Right.
Joe Carrigan: [00:16:01] And you may need to help customers when they come in and they've lost their phone, and you need to give them a new phone or a new SIM.
Dave Bittner: [00:16:05] Yep.
Joe Carrigan: [00:16:05] Something's happened. So there are absolutely legitimate business cases that are essential to the operation of these telecoms.
Dave Bittner: [00:16:13] Right.
Joe Carrigan: [00:16:13] So they're phishing these - the resellers and actually the telecoms themselves trying to gain access to these systems so they can make these changes whenever they feel like it. And they're trying to be persistent with their access as well.
Dave Bittner: [00:16:24] So I know somebody who works for one of these companies. I phish them in order to get access to this system that allows me to basically do as many SIM swaps as I want to...
Joe Carrigan: [00:16:35] Right.
Dave Bittner: [00:16:36] ...Because I'm on the - I'm in the house, right? I'm inside.
Joe Carrigan: [00:16:39] Yep. You're in the house. Exactly.
Dave Bittner: [00:16:40] Inside.
Joe Carrigan: [00:16:40] Exactly.
Dave Bittner: [00:16:40] Yeah. Yeah. I also wonder, I mean, is this - could this be as simple as going to one of these third-party providers, finding somebody who works there who's not exactly on the up and up...
Joe Carrigan: [00:16:51] Yeah.
Dave Bittner: [00:16:51] ...Perhaps has the moral flexibility that, by slipping them a few bucks, they can, you know, take a lunch break, walk away and give me access to the terminal.
Joe Carrigan: [00:16:58] And we've seen stories about insider threats on these before as well.
Dave Bittner: [00:17:01] Yeah.
Joe Carrigan: [00:17:01] And the insider threat is a lot more difficult to protect against. There is a very simple way to protect against this and that is for all of these companies to use a hardware token for two-factor authentication. That way an attacker who phishes one of your reps or maybe a third party's rep - just require everybody, even third-party reps. If they access this system, the system that can change, you know, the internal system of our operations, then you need to have a two-factor that is based on a hardware token.
Dave Bittner: [00:17:30] I imagine a lot of this has to do with acceptable risk and the velocity of business being done because if I require, you know, all my third-party folks to use some kind of, you know, two-factor on their own use, that could slow things down. It could cause lines at the stand at the mall. People are unhappy. My resellers are unhappy. And, you know, it's harder for me to do business.
Joe Carrigan: [00:17:56] Yeah, well, the two-factor authentication with the token is remarkably fast. It's not a big overhead.
Dave Bittner: [00:18:02] Right. But I could see if I lose that token...
Joe Carrigan: [00:18:05] Right.
Dave Bittner: [00:18:05] ...And now I can't sell any phones for the rest of the day until I get a new token.
Joe Carrigan: [00:18:08] That's right, though...
Dave Bittner: [00:18:09] That's an issue.
Joe Carrigan: [00:18:10] That is an issue. That's correct.
Dave Bittner: [00:18:11] Right. Right. Right.
Joe Carrigan: [00:18:12] We're going to see which companies value the customer more by putting this requirement on the system.
Dave Bittner: [00:18:16] Yeah.
Joe Carrigan: [00:18:17] I think it's pretty obvious that that needs to be done. This is big, and the damage to the individual customers is going to be devastating...
Dave Bittner: [00:18:23] Yeah.
Joe Carrigan: [00:18:24] ...Can be devastating. Now, how can individual customers protect themselves? Obviously, use a password manager. That's always my No. 2 piece of advice. Use some factor - two-factor authentication is my No. 1 advice. But my No. 2 advice is use a password manager so that you have complex and different passwords for everything. If one of your accounts does get compromised, it's not going to be a huge problem that spreads for you. Also, use a two-factor authentication on all your accounts, and try to make that either a software token or a physical key.
Dave Bittner: [00:18:56] Yeah. Yeah, well, in this article, they point out that a spokesperson from Verizon said in an email - they said, we're aware of recent fraud campaigns that target some employees and others using social engineering. Verizon is fully engaged in these issues. We're continually working to improve our security controls and are implementing enhancements in response to activities like this.
Joe Carrigan: [00:19:17] Yeah. Verizon generally does a good job with security.
Dave Bittner: [00:19:20] Yeah.
Joe Carrigan: [00:19:21] They're a security leader in the telecom industry. They actually publish a report that is one of the leading reports. So when Verizon says, we're on it, I kind of think they're on it.
Dave Bittner: [00:19:32] Yeah, give them the benefit of the doubt.
Joe Carrigan: [00:19:33] Yeah, I do.
Dave Bittner: [00:19:33] Yeah. All right. Well, it's an interesting development here. Joe Carrigan, thanks for joining us.
Joe Carrigan: [00:19:38] My pleasure.
Dave Bittner: [00:19:44] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And don't forget, you can get the daily briefing as an Alexa flash briefing, too.
Dave Bittner: [00:19:54] Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com.
Dave Bittner: [00:20:07] Funding for this CyberWire podcast is made possible by RSA Conference, where the world talks security. Through global events and year-round content, RSAC connects you to cybersecurity leaders and cutting-edge ideas for a safer, more secure future. Learn more at rsaconference.com.
Dave Bittner: [00:20:26] Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at recordedfuture.com/podcast.
Dave Bittner: [00:20:55] The CyberWire podcast is probably produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rick Howard, Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.