Dave Bittner: NSA - yes, NSA - has some privacy advice. Interpol offers its take on where cybercrime is going during the time of the pandemic. Iran's Oilrig is getting clever with its data exfiltration. The FBI would like to know when you're finally going to move on from Windows 7 - like, come on, people. Joe Carrigan looks at pesky ads from the Google Play store. Our guest is Bobby McLernon from Axonius on how federal cybersecurity is particularly vulnerable during the shutdown. And a not-guilty plea from one of the three alleged Twitter hackers, along with some notes on how whoever dunit dunit.
Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 5, 2020.
Dave Bittner: The U.S. National Security Agency has released an advisory on the risks associated with the geolocation data many systems and apps routinely collect - quote, "location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines, user and organizational, and can expose otherwise unknown associations between users and locations."
Dave Bittner: The agency's recommendations are addressed in the first instance to government personnel, but they're presented as applicable to anyone concerned about privacy - turning off location-sharing services, give apps minimal privileges, set browser options to prevent use of location data, turn off advertising permissions and even disenabling features that track lost devices.
Dave Bittner: Plaintext usernames, passwords and IP addresses for more than 900 Pulse Secure VPN enterprise servers are being shared on a Russian language hacker forum, a ZDNet investigation has found. All the compromised servers were running firmware vulnerable to CVE-2019-11510. The forum to which the data were posted is frequented by ransomware gangs.
Dave Bittner: Those gangs include, ZDNet says, REvil, also known as Sodinokibi, NetWalker, LockBit, Avaddon, Makop and Exorcist. All maintain a presence on the unnamed forum, and they use it to recruit both developers - effectively gang members - and affiliates - that is, customers.
Dave Bittner: The data were dumped without any fees attached. Organizations using Pulse Secure VPNs should update their systems. Since VPNs are especially useful in remote work, they should also look to the security of their sheltered-at-home workforce.
Dave Bittner: Interpol yesterday released a report on cybercrime trends observed during the COVID-19 pandemic. There's been a shift in targeting. Initially, individuals and smaller organizations were the preferred targets, but more recently, large companies, government agencies and infrastructure have been the focus of threat actors.
Dave Bittner: Interpol makes three predictions with respect to cybersecurity during the pandemic.
Dave Bittner: First, we should expect the increase in cybercrime to continue, at least for the near term. Criminals will continue to work against the expanded attack surface a remote, distributed workforce inevitably presents.
Dave Bittner: Second, as long as the public remains worried about the pandemic, COVID-19 phishing scams will retain their popularity. Interpol expects such phishing to go hand in hand with a corresponding increase in business email compromise. In both ordinary phishing and BEC attempts, the criminals can be expected to improve their social engineering game and produce increasingly plausible phishbait.
Dave Bittner: And finally, once a vaccine is available against this strain of coronavirus, expect a big spike in vaccine-themed phishing, as well as industrial espionage aimed at biomedical research and production.
Dave Bittner: As always, we should also expect public concern to breed plenty of misinformation. Interpol doesn't say so, but it's reasonable to assume that a large fraction of that misinformation will simply be the madness of crowds. But some smaller fraction will no doubt be deliberate, opportunistic disinformation.
Dave Bittner: All right, so fess up. You're not still running Windows 7, are you? After all, it's beyond its end of life, and the FBI this week staged a mild intervention for the benefit of its more laggard private sector partners - quote, "the FBI has observed cybercriminals targeting computer network infrastructure after an operating system achieves end of life status," the Bureau cautioned in a private industry notification. "Continuing to use Windows 7 within an enterprise may provide cybercriminals access into computer systems. As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered," end quote. We know, we know. It's like a public service announcement. Buckle up for safety. Stay in school, kids. But that's all good advice, too, and it's none the worse for its earnest familiarity.
Dave Bittner: Sure, the Bureau says, there are troubles whenever you migrate to a new operating system. But those shrink to the irritation level when you compare them to the risks of staying with the old, the creaky, the leaky, the vulnerable and the unpatched. So do yourself a favor and upgrade. We're pulling for you.
Dave Bittner: Bobby McLernon heads up the federal division at cybersecurity asset management company Axonius. He joins us to discuss how during this shutdown, federal cybersecurity is more vulnerable than ever.
Bobby McLernon: Today, I think the C-level executives are thinking much more dynamically and outside of that box as it relates to cost. Cost today is a big consideration because everyone's been working from home. Government employees are looking for some type of recompense or some type of stipend for the use of their home as it relates to work. They are utilizing assets that they've purchased with their own personal resources, so reclamation. If they're called back to work is a concern for a C-level exec.
Bobby McLernon: And I think as well, production - the C-level executives are starting to look at themselves more like an industry, like a big company. How do I get production from people to accomplish my goals in the same manner as when they were working on-prem?
Dave Bittner: What are some of the specific adjustments they've had to make on the cybersecurity side of things?
Bobby McLernon: So as it relates to cyber, with employees going out and purchasing their own assets, I think it's an extraordinary challenge for the C-level execs now to manage those assets. In other words, which assets are out there without the appropriate agents? Which assets are out there without the appropriate software on their equipment and patching and so forth? So as it relates to locking down the endpoint and yet keeping continuity with the workforce, I think this brings a lot of new issues to the table for cyber.
Dave Bittner: As we settle into this and we start to look towards what things might look like on the other side, how do you suppose these folks are preparing for that, for the notion of people coming back to work in this new reality?
Bobby McLernon: I can tell you that social distancing is a big concern. I - from what I understand, they are looking to re-architect workspaces to put the appropriate distance between employees. I've also heard that in many cases, the air filtration systems are being looked at to try and put some type of biohazard - the same type of apparatus that goes into a home HVAC to keep mold out, things of that nature - something to purify the air and make the work environment safer.
Dave Bittner: Yeah, yeah. Absolutely.
Bobby McLernon: So those are two examples, but I heard them from a couple of different sources. And I think that the social distancing thing is going to be - or that type of approach is going to be significant going forward because from what I understand, COVID may reoccur in the fall. And I've read several times in the paper that there may be the advent of swine flu crossing borders here in the coming months. So I really believe that people are going to be in a different work environment than they have in the past.
Dave Bittner: That's Bobby McLernon from Axonius.
Dave Bittner: And finally, the AP says that 17-year-old Graham Ivan Clark, the youth accused of participating in the Twitter hack and its attendant altcoin scam scheme, was arraigned Monday in Florida on state charges of fraud. He pled not guilty, and, of course, is entitled to the customary presumption of innocence.
Dave Bittner: The Wall Street Journal has the story the prosecutors told of how Master Clark allegedly did it. He started with a SIM swap to get access to a plausible phone number. He also set up a few bogus sites as landing places for his phishing pages and then collected the right logos and text to make them plausible. One of the pages was designed to look like Twitter's Okta login portal, through which employees securely enter Twitter's systems. The Journal points out that Okta itself was uncompromised. The sites were pure imposture.
Dave Bittner: And then he called Twitter admins, some of the roughly 3,000 who have access to Twitter's account control panels. He said he was from IT, directed them to the phishing pages and convinced enough of them to cough up their credentials to give him the ability, for an hour or so, to wrench control of more than a hundred accounts, mostly high-value and high-profile accounts.
Dave Bittner: An interesting aspect of the story is the connection to online gaming. According to The Wall Street Journal, quote, "the tactics that Mr. Clark allegedly used have been honed in recent years with remarkable tenacity by a community of teenagers and young adults. The practitioners cut their teeth in the antics of online gaming, where stealing one another's Xbox or PlayStation gaming accounts is counted as a harmless prank, according to investigators and security experts," end quote.
Dave Bittner: So the internet's notorious disinhibition misdirects another youth. In cyberspace, it can seem as if sufficiently artful wishing makes it so - until, that is, you forget that cyberspace eventually meets real life. In real life, you have liberty, but within the framework of physical possibility. And in real life, you have rights. In this case, unfortunately, one of them is the right to remain silent.
Dave Bittner: And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Joe, great to have you back.
Joe Carrigan: Hi, Dave.
Dave Bittner: I've got an interesting bit of research that was shared with us. This is from the Satori Threat Intelligence and Research Team over at White Ops Security. Joe, they have found some chicanery, (laughter) some bad stuff going on over on the Google Play store. Can you describe to us what does their research delve into here?
Joe Carrigan: Right. So they have discovered 29 apps with code that facilitates what they call out-of-context ads. And these are ads that will pop up on your phone when you're not in some app. It's just like you'll be looking at your home screen, and then, bam, you get an add on your phone.
Dave Bittner: Let me stop you right there, Joe...
Joe Carrigan: Yeah.
Dave Bittner: ...Because you know one of my favorite pastimes is giving you a hard time about Android because I'm an iPhone user.
Joe Carrigan: Yes, I know.
Dave Bittner: And (laughter) I was looking at the animation that they posted here in their research of how these ads work, and it's just someone sort of browsing through their list of apps, and all of a sudden, this ad pops up. And I'm thinking to myself, you're OK with this?
Joe Carrigan: Right. Why is this even a thing that can be done on the Android platform?
Dave Bittner: If my phone did this, I would throw it out the window.
Joe Carrigan: Right. And no app should do this. And actually, that's a good point, Dave. I don't think that the operating system should allow this to occur.
Dave Bittner: Yeah.
Joe Carrigan: There may be some legitimate use case where this is a good idea, but I can't think of it right now.
Dave Bittner: (Laughter).
Joe Carrigan: So if somebody can come up with a legitimate use case, let me know. I would love to hear it.
Dave Bittner: (Laughter) OK.
Joe Carrigan: Getting rid of that functionality from the operating system would stop a lot of this from happening, but there are still other means of pushing ads that actually do represent legitimate use cases, like push notifications, right?
Dave Bittner: Yeah.
Joe Carrigan: You might want push notifications for, say, incoming weather that may affect you.
Dave Bittner: Right, right.
Joe Carrigan: There's the easy-to-identify legitimate use case for those, but those can still be abused for ads.
Joe Carrigan: But what's interesting is that these apps had 3.5 million downloads among them. That's an average of about 120,000 downloads per app. And many of these apps were purporting to be a blur app, which is a photo editing app that will let you blur out portions of a photo. So let's say you take a picture of your new car, you want to blur out the license plate. This is what you would use - something like this.
Dave Bittner: OK.
Joe Carrigan: But these apps don't do that. They have very minimal functionality that's just enough to get past the automated tests for the Google Play store.
Joe Carrigan: And then they do a lot of hinky things. Like, for example, the very first paragraph of this article says, if the app you just downloaded is playing hide-and-seek with you, like the icon's disappearing from your home screen, it might be bogus. If the only way you can open this app is by going to your settings menu and finding it in the long list of apps, it might be bogus. And if after you download this app, your phone starts to give you these out-of-context ads, it might be bogus, right?
Joe Carrigan: Another interesting telltale sign - and this is one of the things I've said before, but they talk about this in the reviews. These reviews have what they call a C-shaped distribution - right? - which means that if you look at the distribution, there's a lot of five stars, very few four-, three- and two-star ratings, and then a lot of one-star ratings. So it kind of looks like the letter C, right? That is indicative of a malicious app or an app that's just going to serve ads.
Dave Bittner: Because?
Joe Carrigan: Because these people go out and they buy reviews. And when you buy reviews, you don't buy two-star, three-star or four-star reviews. You buy five-star reviews.
Dave Bittner: Right.
Joe Carrigan: And these guys have bought a bunch of five-star reviews. And when you produce a piece of software that is just a nuisance, it creates a bunch of angry people who then go in and give you a bunch of one-star reviews. So that's what you're going to see. You're going to see the five-star reviews that they've purchased and the one-star reviews that they've earned. So if you see that, let that be a message, a warning, to you.
Dave Bittner: It makes me wonder, could you put in an app - how many downloads would you get if you just stuck an app - somehow got an app in the Google Play store or any of these online stores, and if the app was called This App Does Nothing (laughter)?
Joe Carrigan: Right.
Dave Bittner: You'd still get over 100,000 downloads just because, I mean, I guess there are people out there who just download anything.
Joe Carrigan: Right. That is a mystery to me.
Dave Bittner: Yeah, yeah.
Joe Carrigan: You know, I don't go out and just download any app. I go with a specific purpose for looking for a functionality that I want to have, and then I read the reviews before I install it. And then finally, when I - if I do choose to install it, I check the permissions that it requests. So think about these things. Think about the permissions you're giving away. Read the reviews and look for that C-shaped distribution.
Dave Bittner: Yeah. Yeah. All right, well, again, this is from the Satori Threat Intelligence and Research Team over at White Ops. The research is called "Bringing Blur Apps Into Focus." Joe Carrigan, thanks for joining us.
Joe Carrigan: It's my pleasure, Dave.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.