The CyberWire Daily Podcast 4.8.20
Ep 1062 | 4.8.20

Joint UK-US warning on COVID-19-themed cyber threats. Disinformation in the subcontinent. Public and private apps with privacy issues. A new IoT botnet. APT notes. Frontiers in biometrics.

Transcript

Dave Bittner: [00:00:04] NCSC and CISA issue a joint warning on cyber threats during the COVID-19 pandemic. India's government seeks to limit disinformation on social media. Zoom works on privacy issues, and government contact-tracking apps face their own problems. A new DDoS botnet is out. BGP hijack requests persist. Is a front company facilitating Chinese government RATs? Spies and spyware. And a biometric advance leads from the rear. 

Dave Bittner: [00:00:40]  And now a word from our sponsor ThreatConnect. Designed by analysts but built for the entire team, ThreatConnect's intelligence-driven security operations platform is the only solution available today with intelligence, automation, analytics and workflows in a single platform. Every day, organizations worldwide use ThreatConnect as the center of their security operations to detect, respond, remediate and automate. With all of your knowledge in one place, enhanced by intelligence, enriched with analytics, driven by workflows, you'll dramatically improve the effectiveness of every member of the team. Want to learn more? Check out their newest e-book, "SOAR Platforms

Dave Bittner: [00:02:11]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, April 8, 2020. British and American cybersecurity agencies have issued some joint advice on cybersecurity. The U.K.'s National Cyber Security Centre, the NCSC, and the U.S. Cybersecurity and Infrastructure Security Agency - more familiarly known as CISA - have issued a joint public warning about ways in which the pandemic and the emergency measures put in place to contain it have given rise to a wave of cyberattacks. The advisory introduces its warnings like this - quote, "both APT groups and cybercriminals are likely to continue to exploit the COVID-19 pandemic over the coming weeks and months. Threats observed include phishing, using the subject of coronavirus or COVID-19 as a lure, malware distribution, using coronavirus or COVID-19-themed lures, registration of new domain names containing wording related to coronavirus or COVID-19, and attacks against newly and often rapidly deployed remote access and teleworking infrastructure." 

Dave Bittner: [00:03:19]  Much of the malicious activity is being carried by email. CISA's assistant director for cybersecurity, Bryan Ware, said - in an email, as it happens - as the COVID-19 outbreak continues to evolve, bad actors are using these difficult times to exploit and take advantage of the public and business. Our partnerships with the NCSC and industry have played a critical role in our ability to track these threats and respond. We urge everyone to remain vigilant to these threats. Be on the lookout for suspicious emails, and look to trusted sources for information and updates regarding COVID-19. We are all in this together, and collectively, we can help defend against these threats. 

Dave Bittner: [00:04:00]  The NCSC's cover note adds some sensible overarching cautionary advice. This is a fast-moving situation, and this advisory does not seek to catalogue all COVID-19-related malicious cyber activity. You should remain alert to increasing activity related to COVID-19 and take proactive steps to protect yourself and your organization. So the advisory summarizes the threats the agencies are seeing, and it offers brief but useful guidance on how individuals and enterprises might deal with them. The full advisory is online at the us-cert.gov website. 

Dave Bittner: [00:04:36]  Authorities in India are cautioning against - and prosecuting - disinformation during the current state of emergency. Reuters reports that the Indian government has asked both Facebook and TikTok to remove users they determine to be spreading misinformation about COVID-19. The authorities are particularly concerned about mis- or disinformation directed at Muslim audiences. According to the Mumbai Mirror, the authorities are serious about prosecuting those who promulgate fake news and hateful posts in social media. One-hundred-thirty-two cases are open, and 35 arrests have been made so far. 

Dave Bittner: [00:05:13]  ZDNet writes that Zoom, the teleconferencing service whose use exploded during the current pandemic emergency, has brought in Alex Stamos, formerly Facebook's security chief and subsequently a fellow at Stanford, as an independent security consultant. Stamos emphasized in a blog post that he is neither an employee nor an executive at Zoom, but that he is attracted to the challenge of how a low-friction collaboration platform might scale without presenting hackers with an equally low-friction opportunity. Taiwan has banned Zoom entirely, largely because of the company's ties with Chinese enterprises and because, the Register notes, Zoom sends much of its traffic through China. 

Dave Bittner: [00:05:55]  Zoom is far from the only service struggling with privacy. Privacy concerns run neck-and-neck with public health during the COVID-19 pandemic. Many governments are scrambling to find ways of tracking contacts at scale during the pandemic. As Computing reports, there is a general search for tools that can do this in ways that don't compromise individual privacy. But so far, the apps being deployed aren't inspiring confidence in this respect. Researchers at ZeroFox report that the governments of Italy, Colombia and Iran have stumbled badly with respect to the privacy protections of the mobile apps they pushed out. It seems reasonable to assume that this is more a general problem. ZeroFox doesn't attribute the privacy issues to bad intent, not even, we observe in fairness, in the case of Iran. It's just a difficult problem to solve. 

Dave Bittner: [00:06:45]  Bitdefender researchers today reported their discovery and assessment of a major Internet of Things botnet. They call it darknexus after a string it prints in its banner. They add that while the new botnet incorporates some code from both Qbot and Mirai, it's significantly more capable than these and other competitors. Intended for a distributed denial-of-service, darknexus is regularly updated and designed to be unusually persistent. Bitdefender thinks it's the work of a known botnet wrangler who goes by the name greek.Helios, who advertises DDoS services in various social media. 

Dave Bittner: [00:07:23]  The team at venture capital firm Blue Ventures recently held a funding competition called Cyber Tank, modeled after the popular TV reality show "Shark Tank." In this case, four entrepreneurs made their pitch to a group of CISOs and VCs. At the end of the day, it was threat-hunting platform InQuest that caught the judges' eyes. Pedram Amini is chief technology officer at InQuest. 

Pedram Amini: [00:07:47]  Apparently this is the first time they had it in this format. I mean, quite literally, we walked out to the "Shark Tank" music, so that was kind of a unique experience. You know, both my co-founder and I have a lot of friends in the area. One of our advisors happened to be involved with the Blue Ventures group, so he brought it up, and then we had another contact who also brought it up. And then the third time, I saw it on LinkedIn. So at that point, we got interested and wanted to get involved. 

Dave Bittner: [00:08:14]  Well, take us through that process then. How did you prepare to tell the story of what you're up to there at InQuest to this panel of judges? 

Pedram Amini: [00:08:23]  Yeah. You know, it's - generally when you're pitching an idea, you've got 30 minutes to an hour. You know, in this case, we had just a few minutes. So we really just went with the story. You know, my background is very much in the shoes of an offensive security researcher. And my business partner is very much a defensive background. You know, I ran one of the biggest computer hacking teams on the planet, and he was playing defense for, you know, one of the largest and most-attacked offices on the planet. And so between the two of us, you know, we kind of have a full-spectrum view of the whole thing. And when we came to build a product, we bring both, you know, sides of the team to the equation. So we just went with the story - you know, how we met, what fuels our passion and how that resulted in InQuest being founded and then fell into the Q&A session from there. 

Dave Bittner: [00:09:14]  Yeah. That's interesting. What sort of questions were they asking you? 

Pedram Amini: [00:09:18]  You know, this is one of the other reasons why we thought this event would be interesting. It was really neat. You know, they had essentially three sharks. And so ours was Ron Gula, you know, an absolute - he's a well-known name in the industry, someone that I looked up to when I first got into the game. And then you also have a CISO that's paired with you. You know, ours was the CISO of Unisys. So each group had one shark and one CISO that was paired with them in the sense that anybody could ask questions, but that specific pairing had done some homework beforehand and came prepared with some tough questions. So, you know, that was highly valuable for us. You know, anytime we can glean insights from a practitioner that's in - you know, a CISO from a large corporation, you know, that's good for us. 

Dave Bittner: [00:10:02]  Now you all - you won the day. You were the winners of the competition. What happens next? 

Pedram Amini: [00:10:08]  You know, the Blue Ventures group is a pretty unique - I guess they're an angel group. You know, it's a large collection of folks, mostly in the Beltway area. We will follow up with an official pitch to that group. You know, InQuest as a company has been profitable from Day One, so we're not exactly in a position where we're looking for outside investment. But as they say, the best time to ask is when you're not looking. So we look forward to pitching to that group and hearing their questions and having some more time to dive into what we do. 

Dave Bittner: [00:10:37]  What sort of recommendations or advice would you have for other organizations who may be in a similar situation and are considering a competition like this one? 

Pedram Amini: [00:10:47]  Sure. I mean, the best advice I can give is you - at the end of the day, you have to put yourself out there. You know, whether - nothing is too big or too small. No event should be seen as not providing potential value. You know, just get out there. Put the time in, and good things will come of it. 

Dave Bittner: [00:11:03]  That's Pedram Amini from InQuest. 

Dave Bittner: [00:11:07]  One of the more interesting features of yesterday's BlackBerry Cylance report on a decade-long record of RAT-herding by five related threat groups working on behalf of the Chinese government is its identification of a possible front company. World Wired Labs is the purveyor of the nominally legitimate administrative, incident response and parental monitoring tool NetWire. The researchers assess NetWire as a Remote Access Trojan. Legitimate tools can certainly be abused, but World Wired Labs seems curiously elusive, with suspiciously vague contact information. It's based, for example, as the researchers put it, somewhere in Belize. 

Dave Bittner: [00:11:47]  NSO Group in its ongoing litigation with Facebook claims, basically, that spyware doesn't spy; spies do. The Guardian reports the company doesn't operate the technology it sells. That's fair enough, maybe, but the matter raises some questions about lawful intercept tools in general. There are certainly technologies that seem to have legitimate markets but that need to be sold to a restricted set of buyers. Military weapons in general would seem to fall into this category, as do many articles of police equipment. Perhaps that's the sort of model that might be applied to lawful intercept tools. Bugging the mob is one thing. Bugging a political opponent is another. 

Dave Bittner: [00:12:30]  And finally - hey, everybody. Researchers at Stanford have just discovered and operationalized a new biometric modality, which is being characterized as anodermal. What's the deuce? Well, that's all we've got to say on this one. We are a family show after all. Look it up. 

Dave Bittner: [00:13:31]  And now a word from our sponsor, BlackCloak. Oh, come on. It's not like anybody actually needs this anymore. I mean, executives in their personal lives, they're doing great. They all have advanced malware detection on all their devices. They're using dual-factor authentication everywhere. Their home networks are rock solid secure. And they never, ever use a weak password. As for their families - little Luke and Leia and their significant other - well, they're pillars in the cybersecurity community, right? You're right. I was dreaming there for a minute. The fact is executives and their families are targets. And at home, they have no cybersecurity team to back them up. Instead of hacking the company with millions of dollars' worth of cybercontrols, hackers have turned their attention to the executives' home network and devices which have little to no protection. BlackCloak closes this gap in your company's protection. With their unique solution, the cybersecurity professionals of BlackCloak are able to protect your executives and their families from hacking, financial loss and private exposure. Mitigate these risks that could lead to a corporate data breach or reputational loss. Protect your company by protecting your executives. To learn more and partner with BlackCloak, visit blackcloak.io. That's blackcloak.io. And we thank BlackCloak for sponsoring our show. 

Dave Bittner: [00:14:25]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University information security institute, also my co-host on the "Hacking Humans" podcast. Joe, great to have you back. 

Joe Carrigan: [00:14:35]  It's good to be back, Dave. 

Dave Bittner: [00:14:37]  Interesting article. This is from the folks over - doing the Naked Security blog by Sophos. And it's titled "COVID-19 Forces Browser Makers to Continue Supporting TLS 1.0." 

Joe Carrigan: [00:14:50]  That's right. 

Dave Bittner: [00:14:50]  What's going on here, Joe? 

Joe Carrigan: [00:14:51]  OK. So TLS 1.0 and 1.1 are older now, and they have been deprecated by browsers already. But... 

Dave Bittner: [00:15:00]  And TLS stands for? 

Joe Carrigan: [00:15:01]  It - excellent question, Dave. I'm making the assumption everybody understands what this is. 

0:15:05:(LAUGHTER) 

Joe Carrigan: [00:15:05]  It stands for transport layer security, and it is a way of encrypting information within the network stack so that the data is encrypted at the transport layer. Now, what that means is - it's not encrypted at the IP layer. So as far as IP is concerned, the data is plain text. But one layer up, at the transport layer, it is encrypted... 

Dave Bittner: [00:15:29]  OK. 

Joe Carrigan: [00:15:29]  ...Which means that further up, for the user, it's encrypted. And this is how your webpage, your web traffic is encrypted as well. 

Dave Bittner: [00:15:37]  OK. 

Joe Carrigan: [00:15:37]  So any time you see that little lock and you know that you're communicating securely with the server... 

Dave Bittner: [00:15:42]  Right. 

Joe Carrigan: [00:15:42]  ...You're communicating over TLS. The old version, before TLS 1.0, was SSL. And that is completely not supported anymore. 

Dave Bittner: [00:15:49]  OK. 

Joe Carrigan: [00:15:50]  It's not viewed as secure. These older protocols have been around long enough that they're now less secure and - to the point where people don't even view them as secure, and you can be out of PCI compliance if you're using one of these older versions. Also, there's a concern that some of the web services may stop functioning if you're using these older versions because they're not being supported. So what these browser companies are doing - browser-makers like Google and Microsoft and Mozilla - they're saying, well, we were going to stop supporting TLS 1.0 and 1.1 in 2020, which is now, right? 

Dave Bittner: [00:16:25]  Right. 

Joe Carrigan: [00:16:25]  So sometime this year, they're going to do that. But they're pushing that back, and the - one of the reasons they're saying is - Mozilla said in their release that they're reverting the change for an undetermined amount of time to better enable access to critical government sites sharing COVID-19 information. Now, you and I just did a little poking around. We can't find any government sites that are running TLS 1.0 or 1.1 Everything we found was at least running 1.2. And we looked at West Virginia's site. We looked at Maryland's site, the federal government sites, even a county site in rural Maryland. They were all running at least TLS 1.2. But that wasn't an exhaustive search. We didn't... 

Dave Bittner: [00:17:04]  Sure. 

Joe Carrigan: [00:17:05]  You know, we had 10 minutes beforehand. (Laughter) So we didn't search every single county website in the country. 

Dave Bittner: [00:17:09]  Yeah. 

Joe Carrigan: [00:17:10]  So it could be valid. But also, think about companies that may be in the process of upgrading from an older TLS version to either 1.2 or 1.3. And the people making this transition now are not working together. They're - it's going to be a slower process for them. 

Dave Bittner: [00:17:25]  Yeah. It's an interesting compromise to ponder, that the potential security issues of maintaining support for these, I suppose they've concluded, are less important than the ability for people to get information about things like health with COVID-19. 

Joe Carrigan: [00:17:44]  That's correct. I think that's exactly what's going on here, is there is an assessment that's been made that the bigger risk is denying people information. I think that's accurate because there's nothing stopping somebody from going ahead and going to version 1.2 or 1.3 of TLS. You can still do that and not impact older versions. And you should be doing that, by the way. You should - you absolutely should be doing that. If your website is running TLS 1.0 or 1.1, that's not good. You should be upgrading as soon as possible. 

Dave Bittner: [00:18:13]  Yeah, it's interesting that we've seen several companies say that, throughout this global emergency, that they have shifted their focus away from things like new features toward security... 

Joe Carrigan: [00:18:27]  Right. 

Dave Bittner: [00:18:27]  ...That they're laser focused on, you know, updates are going to be about this one thing, and it's going to be about making everyone safe, and we can all agree that we're going to wait on some new features for a while. 

Joe Carrigan: [00:18:38]  Yeah. Yeah, that's a good outcome of this, I guess, if you could say that. In the development world, security is not really one of the drivers of the development effort because it doesn't really present a very clear benefit to the user. To us, absolutely, it's a clear benefit, right? 

0:18:56:(LAUGHTER) 

Dave Bittner: [00:18:56]  Right. 

Joe Carrigan: [00:18:56]  To people who think about these kind of things, it's a clear benefit. 

Dave Bittner: [00:18:58]  Right. Right. 

Joe Carrigan: [00:18:59]  But if the user wants a new feature - that's really what they're focused on - I think the basic assumption of the user is that the security is built in already and that I'm trusting you to build it. So don't tell me about the security, but I expect it to be secure. 

Dave Bittner: [00:19:13]  Yeah. And it's those new features that tend to make the cash register ring, right? 

Joe Carrigan: [00:19:17]  That is exactly correct, unfortunately. I think this is changing, but it's not - hey, our product's the most secure product you can buy on the internet, for whatever purpose it is; it's - what's the coolest feature that you have? 

Dave Bittner: [00:19:30]  Right. Right. Exactly. All right. Well, Joe Carrigan, as always, thanks for joining us. 

Joe Carrigan: [00:19:34]  My pleasure, Dave. 

Dave Bittner: [00:19:40]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:19:59]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:20:10]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.