The CyberWire Daily Podcast 8.12.20
Ep 1150 | 8.12.20
Domestic cyber squabbling in Belarus and Iran. Pakistan accuses India of a cyber offensive. More on Papua’s data center. More privacy questions for TikTok. Parental control or stalker’s tool?
Transcript

Dave Bittner: Regional rivals tussle in cyberspace, and governments have it out with dissidents and the opposition. Market penetration as an instrument of state power. TikTok gets more unwelcome scrutiny over its privacy practices. Joe Carrigan on a credential harvesting phishing scheme using Zoom as bait. Our guest is Avi Shua from Orca Security on accidental vulnerabilities. And suppressing creepware is apparently harder than it looks.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Wednesday, August 12, 2020. 

Dave Bittner: Various accusations of cyberattack have been emerging from regional and domestic rivals. 

Dave Bittner: Shutting down the internet is the 21st century analog of the 20th century's seizure of the radio stations and the phone exchange, the 19th century's occupation of the newspaper and telegraph offices. That's what appears to be going on in Belarus, where internet disruptions that began at the end of the country's presidential election continue. 

Dave Bittner: Belarus has taken the official view that its internet outage is the work of ill-intentioned foreign operators, but as Meduza says, domestic dissidents claim - and most observers are with them on this - that it's the work of Minsk itself. The opposition had predicted as voting began that the government would clamp down on the internet, and that's what appears to have happened. The country's top-level domain, .by, was also rendered largely inaccessible to people outside Belarus.  

Dave Bittner: The Guardian sees it as a high-stakes gamble aimed at disrupting the ability of protesters to organize. Most such communication has moved to Telegram, which offers a degree of anonymity, is hosted where Minsk's writ doesn't run and which has shown itself relatively resistant to being taken down.  

Dave Bittner: Much of Belarus is effectively incommunicado, with some telephone service also reporting disruption. The internet blocking has been run through Beltelecom, the national telco, and the Belarusian National Traffic Exchange Center. 

Dave Bittner: One probable unintended consequence of the shutdown is that the remaining channels tend to be particularly susceptible to rumor, misdirection and speculation. In many social channels, the clock is always striking 13, the Martians have landed, and the man is out to get you. Sometimes that's even true - the Martians eventually get through, at least in our editor's experience - but if President Lukashenko doesn't like that result, he might usefully consult the man in the mirror. 

Dave Bittner: The News International edition and other outlets report that Pakistan's army assesses recent incidents on soldiers' mobile devices as representing cyberattacks from inveterate adversary India. 

Dave Bittner: Pakistan's Inter-Services Public Relations organization, the ultimate source of news about the attribution, accused Indian intelligence services of a range of cybercrimes, including deceitful fabrication by hacking personal mobiles and technical gadgets. The Pakistan military's media relations arm added ambiguously that, "various targets of hostile intelligence agencies are being investigated. Pakistan Army has further enhanced necessary measures to thwart such activities, including action against violators of standing operating procedures on cybersecurity," end quote.  Other government departments are also being told to go to a higher level of alert with respect to cybersecurity, and especially to look for security lapses. 

Dave Bittner: Deceitful fabrication suggests either social engineering or disinformation, but the statement awaits clarification. Pakistan has grown increasingly skittish about WhatsApp since WhatsApp has been found susceptible to Pegasus spyware infestations, and there's much discussion of foregoing the use of WhatsApp in stories covering Pakistan's warning. 

Dave Bittner: The National Council of Resistance of Iran, whose English-language service represents the Iranian opposition to much of the rest of the world, has accused Tehran of attempting to take down the website of the opposition's People's Mojahedin Organization of Iran. The National Council of Resistance says the attempt, while desperate - here one must make allowances for partisan hype - was unsuccessful. 

Dave Bittner: Researchers at Orca Security have been investigating what they describe as an all too common mistake of leaving an organization vulnerable to attacks by accidentally exposing it through allowlisting external CICD servers. CICD stands for continuous integration and continuous delivery, by the way. Avi Shua is CEO and co-founder at Orca Security, and he shares these insights. 

Avi Shua: At the end of the day, these days, everyone loves to use SaaS. You integrate external CICD services. You inter - you may be using any other external services as part of your internal processes. And you need to open them to intimately integrate it into environment. If you think about it, if you use a service like Bitbucket or GitHub or any one of these services, it's essentially outsourcing, or putting in an external service, something which is a pretty intimate part of your development process. And as such, it needs to communicate with your internal processes. So naturally, you need to open it. And the way that you open it is many times done by simply opening a wall. The wall acts along access from these external services to your internal services. And you may notice that it means that you opened an internal service to the world. And this seems right. At the end of the day, these are the reputable services, and you don't expect GitHub or Liaison to attack you. 

Dave Bittner: So what happens next? If someone makes this configuration error, what specifically is the problem here? How are they opening themselves up? 

Avi Shua: So it might seem like a valid configuration - you're opening a hole in your policy to allow these external services to communicate with your internal servers that might not be secure to the same extent as you'd want, but you're opening it only for these reputable companies that are certainly not going to attack you. So it seems fine. But what usually the practitioner (ph) don't understand is that when you open it to these services, it's not like you're only opening it to the employees of Bitbucket or to the employees of GitHub, you are in fact opening it to any of these company's customers. 

Dave Bittner: The folks that you work with when you're describing these sorts of things to put into place, what are some of the reasons that they give to you why they haven't used such a system so far? 

Avi Shua: My main suggestion is that any organization that works in the cloud these days must make sure that they have the tools and processes to understand the security posture of this environment across the technology stack. There will be mistakes. There will be misconfiguration because people do mistakes, and they can be both in the application and the configuration. It might involve different part of them. And you must make sure that you have the tools and processes to detect them and enter them. And don't assume that it can be fixed only by training or - people make mistakes in security, but we must assume that they willl continue to make mistakes. And we need to be able to fix it and find them as fast as possible. 

Dave Bittner: That's Avi Shua from Orca Security. 

Dave Bittner: The Wall Street Journal reports that TikTok had, until last November, collected MAC addresses in an undisclosed user tracking program, a technique that appears to violate Google's rules on how apps may collect user data. TikTok told the Journal that it remains committed to protecting the privacy and safety of the TikTok community. Like our peers, we constantly update our app to keep up with evolving security challenges. The company added that the current version of TikTok does not collect MAC addresses. 

Dave Bittner: In an unrelated development, Reuters says that TikTok's proposed move of data centers from the U.S. to a presumably friendlier Europe may have also hit a snag as French regulators the CNIL acknowledge that they have an open investigation into the service's privacy safeguards. A CNIL spokesman told Reuters, quote, "The CNIL began investigations into the tiktok.com website and the TikTok application in May 2020. The CNIL had indeed received a complaint at that date. To date, the CNIL continues its investigations and participates in ongoing European work," end quote. 

Dave Bittner: And finally, yesterday was the deadline Google gave stalkerware vendors to stop advertising on the Mountain View marketing giant's search platform. But TechCrunch finds that a number of such apps, designed to give you the ability to snoop on someone's device usage without their knowledge or consent, are still present with ads. It's a tough problem, tougher than it would appear. Few people in the civilized world would want to empower stalkers and domestic abusers to keep track of their fixation's digital exhaust. It's creepy, sure, but it's also dangerous. Having said that, there are plenty of parents who want to have some insight into what their minor children are doing online, and that's far more defensible. Google sought to carve out an exception to its rules to accommodate what we might call in loco parentis software. But that's tough to do. Cyberspace is more dual use than just about anywhere else. And the tool that might help keep your child from using your credit card to buy skater gear can alas be repurposed as creepware. 

Dave Bittner: And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Interesting report came from the folks over at INKY. They are a - an email security company. They do a lot of work protecting people against phishing and those sorts of things. And this article is called "Zoom & Doom: How INKY Unraveled A Credential Harvesting Phishing Scam." There's some interesting stuff in this report here, Joe. You want to unpack it for us? 

Joe Carrigan: Yeah. So it starts off talking about Zoom, the teleconferencing company. This is an absolutely amazing statistic that, in December of last year, they had 10 million daily participants in meetings. Now they have 300 million in April of this year. OK. And that's because, of course, we're all working from home, right? I mean, I attended Zoom meetings several times a week. This is not really surprising. But, I mean, that's a remarkable level of growth. 

Dave Bittner: Right. 

Joe Carrigan: And actually, the - this phishing scam doesn't actually exploit anything in Zoom. There's nothing in - that Zoom can do about this. It's just - these attackers are using Zoom as a hook for a phishing email. And they might be sending an email from a compromised Zoom account but a lot of times they're not. They're just sending it from a fake domain like zoomcommunications.com or zoomvideoconference.com. These attackers have registered these domains. And I think these domains - I think Zoom has a good cyber-squatting case here. They could probably get control of those domains. They're actually using the company name Zoom and what they do - communications or video conferencing - in the URL. So I think Zoom should go after these domains and try to just get them and then gain control and redirect to their stuff. That's my advice to them if I was consulting them, which I'm not. So... 

Dave Bittner: (Laughter). 

Joe Carrigan: I'm just giving free security consulting services to Zoom here. But anyway, what these phishing emails are doing is they're actually trying to harvest credentials for Microsoft Office 365 users. So you click on the link, and it takes you to a page impersonating a Microsoft login. 

Dave Bittner: So it's saying you've been invited to a Zoom meeting. 

Joe Carrigan: Right. 

Dave Bittner: You click on the link, and it takes you to an Office or an Outlook, whatever - something in the Microsoft suite - login for that. 

Joe Carrigan: Yeah, which to me would be a red flag. But, you know, I'm really steeped in the cloud computing or cloud environment. 

Dave Bittner: Yeah. 

Joe Carrigan: It's something that could kind of make sense. You know, I mean, I remember years ago, I would be trying to navigate a network. And I'd have to go to some other place. And they'd say, you have to log in. And I'd say, I thought I already logged in. And I'd make sure that I was going to the right place and would work. It would log in and I'd get there. 

Dave Bittner: Right. 

Joe Carrigan: But - so I imagine that there's some kind of thing going on here psychologically with people where they're going, oh, well, it says we use Microsoft. Maybe I have to go into my Microsoft account to access my Zoom - access the Zoom meeting. It kind of makes sense. I mean, it's not right thinking, but this stuff is a lot of smoke and mirrors and a black art to just about everybody who is not living day-to-day in the technical world. 

Dave Bittner: How often do these cloud services just sort of pop up and say, hey, you need to re-login for whatever reasons? 

Joe Carrigan: Yeah. That's happened as well. 

Dave Bittner: Yeah something's happened and you need to log in. And most of us think, all right, Well, it's, you know, a little bit of a nuisance, not a big deal. You put in your credentials and away you go. 

Joe Carrigan: Yeah. And a lot of times that can happen if your IP address changes, right? 

Dave Bittner: Right. So I think this is taking advantage of that, how routine that has become that we don't really think twice about it when one of these things pops up. We think, oh, all right. Well, you know, I want to get my work done. Better log in again. 

Joe Carrigan: Right. So you just go ahead and do it, right? And that's what happens. 

Dave Bittner: Yeah. 

Joe Carrigan: Couple of interesting things about this campaign. One is that if this - some of these emails have an attachment. And when you click on the attachment, what that actually loads up is the malicious webpage. But the malicious webpage is hosted on your computer. So these attachments are actually composed of HTML, JavaScript and PHP that's obfuscated. So it's unreadable to humans. You couldn't read it, and also, a lot of automated security tools can't read it as well. So it's a clever way to evade URL reputation checkers because this does not involve checking a URL. You're opening a local file. Then on the back end, I imagine that there's probably some JavaScript when you click submit that just opens another web connection out to a site, just sends that across in some JSON packet or something, right? So these credentials are then just exfiltrated. 

Dave Bittner: Yeah. And these, you know, as we've talked about before, we talk about this all the time on Hacking Humans how legit these login pages look because they're actually just scooping up the HTML code from the real site. 

Joe Carrigan: Right. Yeah. HTML is - all of the web is just text-based, right? All the code. There's no compilation of webpage. It's a text file that gets sent down to me and rendered in my browser, along with other text files like JavaScript and CSS. But they're all still text files. They're not binaries. So there is no way to stop somebody from having complete access to all of the source code for your webpage. You can't do it in unless you don't want to display your webpage to them. 

Dave Bittner: Right. Right. Right. All right. Well, it's an interesting look into this particular phishing campaign, you know, taking advantage of that popularity of Zoom. And I suppose the lesson here is look twice, think twice before you just reflexively log into some of these cloud services. 

Joe Carrigan: Yeah. That's the lesson. Also, another lesson. Whenever you have cloud services - multi-factor authentication, multi-factor authentication, multi-factor authentication. These credentials will not do an attacker any good if you have a good multi-factor authentication solution implemented. 

Dave Bittner: Yeah. All right. Well, Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure, Dave. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories. check out our daily briefing at thecyberwire.com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It'll save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We will see you back here tomorrow.