The CyberWire Daily Podcast 5.6.20
Ep 1082 | 5.6.20

Taking down coordinated inauthenticity. Contact tracing and other COVID-19 notes. BlackInfinity taken down.

Transcript

Dave Bittner: [00:00:04] Facebook reports on the coordinated inauthenticity it took down in April. A ransomware attack in Taiwan may be state-directed. Remcos RATs are being pushed with targeted spam. Investigations into COVID-19's origins continue, as does medical espionage. Contact tracing's challenges. Joe Carrigan explains recent flaws in antivirus products. Our guests are Laura Deimling and Courtney Wandeloski from Down to Staff with interviewing tips for employees and hiring managers. And European police take down the Black Infinity (ph) credential traffickers. 

Dave Bittner: [00:00:44]  It's time to take a moment to tell you about our sponsor Recorded Future. You've probably heard of Recorded Future, the real-time threat intelligence company. Their patented technology continuously analyzes the entire web to give infosec analysts unmatched insight into emerging threats. We subscribe to and read their Cyber Daily. They do some of the heavy lifting in collection and analysis that frees you to make the best-informed decisions possible for your organization. Sign up for the Cyber Daily email and every day, you'll receive the top results for trending technical indicators that are crossing the web - cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today and stay ahead of the cyberattacks. Go to recordedfuture.com/cyberwire to subscribe for free threat intelligence updates from Recorded Future. It's timely. It's solid. And the price is right. And we thank Recorded Future for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security built natively in the cloud for the cloud, to protect the latest, like containers, to empower your change-makers, like developers, and to enable business accelerators, like your teams. Cloud security that accelerates business - it's about time. Go to mcafee.com/time. 

Dave Bittner: [00:02:08]  From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, May 6, 2020. 

Dave Bittner: [00:02:17]  Facebook has removed hundreds of disinformation accounts. Menlo Park's report on coordinated inauthenticity for April breaks down the countries where the Facebook and Instagram accounts formerly operated. Georgia leads with almost a thousand suspect accounts taken down. They were, for the most part, associated with domestic political groups. Russia and Iran showed high levels of state-directed activity directed at foreign targets. A number of takedowns in the U.S. removed inauthentic accounts associated with conspiracy theorists at QAnon. Accounts taken down in Mauritania and Myanmar focused on domestic audiences, and the Myanmar operations were associated with that country's police. 

Dave Bittner: [00:02:59]  An unfortunate side effect of the global pandemic is that there are a lot of people out there looking for jobs. Cybersecurity sector, despite having a shortage of qualified workers, is not immune to this trend. Laura Deimling and Courtney Wandeloski are from staffing organization Down to Staff. 

Laura Deimling: [00:03:17]  While most companies now are hiring virtually... 

Dave Bittner: [00:03:21]  That's Laura Deimling. 

Laura Deimling: [00:03:22]  ...A lot of them are also doing virtual career fairs and virtual hiring events. So it's 2020. We have the technology. And now companies are really utilizing that. So there's really no reason to not be able to make those connections. People are doing Zoom happy hours and Zoom get-togethers. And there are so many different groups that are starting up that are doing these different sort of virtual events. I would say to candidates to take advantage of all of those, especially if you have lost your job and you do have the time, take a look on LinkedIn and just join any webinars. Join any little happy hour events. And start connecting and expanding your network. 

Dave Bittner: [00:04:09]  So even though we're in a situation where we may have to do it more remotely, that networking element is still really important. 

Laura Deimling: [00:04:17]  Yes, I would say it's even more important than ever. And the networking, it has shifted from networking with your current small, little network to really expanding your network. And I would say that's where the emphasis should be on networking. It's not just, you know, who you know right now, but it's who can you get to know, is what I think the focus should be on. 

Dave Bittner: [00:04:40]  Are there any common mistakes that you see people making when they're heading down this path, when they're taking this journey looking for new work? 

Laura Deimling: [00:04:48]  I think, you know, just making sure that candidates - ensuring that they're prepared for their interviews, especially with stuff being virtually. If you have an interview with a call-in number or a video interview, make sure you have the software, the software is working, you know, everything is running smoothly before the interview. The last thing that you want to do is, you know, not be able to get your video interview software working and the hiring manager has to wait 10 minutes for you to figure it out. So just really being prepared, you know, making sure that with all of these changes and stuff being more virtual that you understand the technology, that you know how to use it and that you're ready when that opportunity comes up to, you know, look like you know what you're doing, understand, be professional and really impress the hiring team. 

Courtney Wandeloski: [00:05:41]  And another note on that as well is the job market is getting ready to be flooded with a lot of candidates and a lot of qualified candidates. 

Dave Bittner: [00:05:50]  That's Courtney Wandeloski. 

Courtney Wandeloski: [00:05:51]  So many people are losing their jobs, and there's going to be a lot more people looking for jobs than there have been in the past few years. You know, unemployment has been really low. It is not like that anymore. So I would say being quick to respond could mean getting a job or missing out because another candidate got it. So I think now more than ever - the candidates have been in the driver's seat for many years now, and we're getting ready to see a switch again of where the companies have a little bit more control in the hiring process. So I would say, you know, make sure you are very responsive to any calls and emails because if you're not, somebody else is going to. 

Dave Bittner: [00:06:33]  That's Laura Deimling and Courtney Wandeloski from Down to Staff. 

Dave Bittner: [00:06:39]  The chairman of the U.S. Joint Chiefs of Staff, US Army General Mark Milley, yesterday offered an assessment of where the ongoing US investigation into the origins of COVID-19 stands. As The Hill reports, General Milley told reporters, quote, "the weight of the evidence - nothing's conclusive. The weight of evidence is that it was natural and not manmade. The second issue is, was it accidentally released, did it release naturally into the environment, or was it intentional? We don't have conclusive evidence in any of that, but the weight of evidence is that it was probably not intentional," end quote. He called upon China to cooperate with international investigators. So the current state of the question seems to be that the virus was not artificially engineered but rather emerged naturally and was not intentionally released. Whether the outbreak originated in human contact with infected animals or in an accident at a Wuhan laboratory remains undetermined. 

Dave Bittner: [00:07:38]  Attempts by state-directed hackers to obtain the results of research into COVID-19, especially work toward a vaccine, are continuing. The Week has summary of the password spraying campaigns that represent the general approach the attackers are taking. While both US and British services - specifically CISA and the NCSC - have issued warnings about the threat, the hostile intelligence services appear to have been especially active in the UK Britain's Foreign Minister Dominic Raab said yesterday that he expects the attacks to continue even after the pandemic subsides - quote, "there are various objectives and motivations that lie behind these attacks, from fraud on one hand to espionage, but they tend to be designed to steal bulk personal data, intellectual property and wider information that supports those aims. They're often linked with other state actors. And we expect this kind of predatory criminal behavior to continue and to evolve over the coming weeks and months ahead. And we're taking a range of measures to tackle that threat," end quote. 

Dave Bittner: [00:08:39]  As contact-tracing apps begin to roll out, they face two principal challenges - privacy and efficacy. Centralized tracing systems, like the one currently being piloted in the UK on the Isle of Wight, have drawn more concern than decentralized exposure notification systems, like that developed by Apple and Google. 

Dave Bittner: [00:08:58]  In the UK, the National Health Service is working to address privacy concerns about its app. NHS intends to form an ethics board to oversee use of the data it collects. And The Guardian adds, NHS is mulling the establishment of a sunset clause that would lead to deletion of the data once they're no longer needed. But concerns remain about the security of the information that would be held in the central data repository however long NHS needs to retain it. India's government has denied that its own contact-tracing system has a vulnerability that exposes the data it collects to compromise. Outlook India reports that the government evaluated the claims of a French white hat hacker having found that their system would expose sensitive personal information. The government's answer to the research points out that much of the information the researcher complained about, including certain forms of geolocation, were already public and that in other respects, the data were properly secured. 

Dave Bittner: [00:09:55]  The second issue is that of efficacy. SecurityWeek lists various points of skepticism, especially those that suggest the possibility of high false positive rates. Forbes discusses a more basic problem. If, as has generally been the case, the contact-tracing and exposure notification apps are intended to be installed voluntarily and if the system depends upon self-reporting of symptoms or diagnosis, they'll depend upon widespread public cooperation. But to be effective, that cooperation needs to extend to about 60% of the population. Narrowed to smartphone users who, of course, are the ones being tracked and notified, that fraction rises to 80%. That's about the best market penetration WhatsApp has achieved during its best years. It seems unlikely that a contact-tracing app will quickly beat WhatsApp with consumers. 

Dave Bittner: [00:10:47]  And finally, Europol has announced that Polish and Swiss police have taken down the credential trading Infinity Black gang. Five Polish hackers were arrested, and assets, including hardware and cryptocurrency wallets worth 100,000 euros, were seized. Infinity Black operated on both its own site and in other dark web markets, ZDNet reports. And the gang not only trafficked in credentials but also in attack tools sold to other criminals. The gang was well-organized and segmented. It seems unlikely the five arrested were the only members. 

Dave Bittner: [00:11:27]  And now a word from our sponsor KnowBe4. Corporate privacy concerns are more paramount than ever before. Organizations are being forced to maneuver a new world of security and privacy issues related to a remote workforce, evolving hardware and software needs and employee access policies. Kevin Mitnick knows this world well. In fact, that's the topic of his new book, "The Art of Invisibility." Kevin Mitnick has a new webinar, and a few topics include privacy concerns around employees using personal devices for business purposes, security issues with various operating systems, mobile devices and the internet of things, the reality of deep privacy and how tied-together devices, systems and surveillance really are and why new-school security awareness training is more critical than ever before. Plus, Kevin shares some shocking new demonstrations that will change the way you think about privacy. Go to knowbe4.com/artofinvisibility to watch the webinar. That's knowbe4.com/artofinvisibility. And we thank KnowBe4 for sponsoring our show. 

Dave Bittner: [00:12:42]  And joining me once again is Joe Carrigan. He's from the Johns Hopkins University Information Security Institute, also my co-host over on the "Hacking Humans" podcast. Joe, always great to have you back. 

Joe Carrigan: [00:12:52]  Hi, Dave. 

Dave Bittner: [00:12:53]  Interesting article. This is from Tom's Guide. 

Joe Carrigan: [00:12:56]  Yes. 

Dave Bittner: [00:12:56]  And it's titled "28 Antivirus Products Share Nasty Flaw That Can Brick Your PC." What's going on here, Joe? 

Joe Carrigan: [00:13:04]  It sounds terrifying, and it actually kind of is. First off, you need to have access to a machine first before you can do this. You have to be on the file system and have already penetrated the machine. So that has to have taken place at some point in time. But once you've done that, this technique exploits the antivirus process. And the way that works is antivirus will scan a file that has been downloaded, usually instantaneously. And then if it finds that file to be malicious, it will go ahead and delete it. But there is a time delay from when it gets scanned to when it gets deleted. 

Dave Bittner: [00:13:43]  OK. 

Joe Carrigan: [00:13:44]  And that's key. So if you use a technique called either - in Windows, it's called directory junctions, and on Linux and Mac, it's called symlinks, which are essentially just pointers to other parts of the file system - and you change the file from the malicious file that was detected to a symlink or a directory junction, then when the antivirus comes along and deletes that file, it will actually delete files that may be important to the operating system. And you can eliminate portions of the operating system that will essentially make it so that your computer will not run, which is what they mean by bricking your computer. 

Dave Bittner: [00:14:21]  Right. 

Joe Carrigan: [00:14:22]  It's not bricked in the sense that - like it's destroyed. You can still reinstall the operating system. But you have to go through that process of reinstalling the operating system. 

Dave Bittner: [00:14:30]  Now, this was pretty widespread among a lot of different antivirus programs, right? 

Joe Carrigan: [00:14:35]  Yeah, they said they had 28 that they found it on - found this vulnerability on. And that includes some major names in the antivirus world like McAfee, Sophos, F-Secure, Kaspersky, Microsoft, BitDefender. A lot of them had this vulnerability. 

Dave Bittner: [00:14:52]  Yeah, right. 

Joe Carrigan: [00:14:53]  And it's really a vulnerability in the process. It's not really a software vulnerability in the fact that, you know, they're not exporting anything - they're not doing anything with the software. They're doing something around the way the software works, which is a perfectly legitimate way to describe a vulnerability. You're exploiting something around the process of the software. 

Dave Bittner: [00:15:14]  Right. So it wasn't like the folks who wrote the code here made a mistake. This is taking advantage of the way that the operating systems work behind the scenes. 

Joe Carrigan: [00:15:22]  Right. And I think the people from RACK911 - that's the company that found this. I think they would say this is a coding mistake, but it's not - I wouldn't say it's a coding mistake. I would say it's a design mistake, right? So earlier on in the process of building software, that's where you made the error - in the design phase. 

Dave Bittner: [00:15:43]  Interesting to note, too, that the folks at RACK911, they had some interesting critiques of the folks who make this software. 

Joe Carrigan: [00:15:51]  Yeah, they did. And I'm going to echo this a little bit. I'm going to read directly from their blog post, which is on rack911labs.com. It says, we have been involved in penetration testing for a long time and never imagined our counterparts in the antivirus industry would be so difficult to work with due to constant lack of updates and total disregard in the urgency of patching the security vulnerabilities. I find that shocking to hear. They started this research in the fall of 2018. And now they're going public with it here in the spring of 2020, which is, like, 18 months. And every single vendor that they contacted has had at least six months to fix this vulnerability. And at the time of the initial writing of this vulnerability, not everybody had done it. And down at the bottom, they have an update from April 24 that says almost every antivirus vendor mentioned in this page now has patched with the exception of a few who will likely have patches out shortly given the media attention. And then they go on to say, the goal of disclosure is not to name and shame the vendors but to bring attention to how easy it was to leverage the antivirus software to become a destructive tool. OK, I understand that you're saying that, but I want to say it is perfectly fine to name and shame companies like this that are not participating with you actively in a vulnerability disclosure of this magnitude. This is a big flaw that they found in the systems, and I'm sure they're not the first people to find it. This can be used to destroy a lot of files. Because of the way symlinks and directory junctions work, you could use it to stop antivirus updates from happening - right? - because now, when my antivirus downloads an update, I can go out and convince the antivirus to delete its own signatures or delete a portion of its own signatures. That's a use case. I can envision an attack on this that - on using this exploit that makes the antivirus less effective by deleting the signature files that they download. The antivirus might - may believe it's up to date and may believe it's using the proper files, but, in fact, it's not. It may even cause it to fail. It may cause it to stop working, in which case now you can run a lot more software on this computer that you compromised. 

Joe Carrigan: [00:18:18]  Another thing they've said is that they've received questions about lesser known antiviruses that were not listed in the report and all were found to be vulnerable. And the final point that they make, which is actually a very good point, is that this is probably not something that's limited to antivirus. This is something that a lot of software - any software that accesses files should probably take a look at how they access that file and make sure that it can't be exploited by using this symlink or directory junction attack. 

Dave Bittner: [00:18:48]  All right. So I suppose the take-home here is if you're using any of these antivirus packages, make sure that you're up to date and that... 

Joe Carrigan: [00:18:56]  Right. 

Dave Bittner: [00:18:57]  ...They've put a proper patch in place. 

Joe Carrigan: [00:18:58]  Yep, yep. They've just about all patched for it now, which is good. So go ahead and update. Keep your software up to date at all times. You know, this is kind of a low-likelihood attack, but it's a high-impact attack. So I would say it's definitely worth going ahead and updating and making sure that you're updated. 

Dave Bittner: [00:19:16]  All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: [00:19:18]  My pleasure, Dave. 

Dave Bittner: [00:19:24]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: [00:19:43]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor, ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. 

Dave Bittner: [00:19:54]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.