The CyberWire Daily Podcast 11.1.22
Ep 1695 | 11.1.22

OpenSSL patched today. The risk of misconfiguration. Cyberespionage (and the risk of mixing the personal with the official). Assistance for Ukraine's cyber defense., And a quick look at DNS threats.

Transcript

Dave Bittner: Hello, everyone. This is Dave Bittner, co-founder and host of CyberWire. Before we get started today, I have an exciting announcement. CyberWire is growing. We're thrilled to announce that CyberWire and CyberVista, an industry leader in data-driven cybersecurity training, are joining forces to form parent company N2K Networks, the world's first news-to-knowledge network. One of the insights we gained about our business since we launched back in 2016 is that you aren't just listening to CyberWire to keep up on the latest news; you're listening to learn.

Dave Bittner: And over time, you've told us that we've become a critical part of your professional lives, a tool that helps you do your job better. That's news to knowledge, and we're excited to lean in on this idea and do more than ever before. So CyberWire and CyberVista are coming together to connect news to knowledge - one continuous spectrum of situational awareness and learning. 

Dave Bittner: The union creates powerful new opportunities for professionals to keep abreast of the latest developments in their industry, climb the knowledge curve quickly and stay ahead in a rapidly changing world. As always, you can continue to count on us at CyberWire to deliver the world-class content you rely on. It's only getting better from here. And if you're new to CyberWire, welcome. Be sure to check out our other shows and partner content. We have more than 20 different shows on our network, and there's something here for everyone. You can find them all on our website, cyberwire.com/podcasts. Thank you for being a valued member of our CyberWire community. And now back to your regularly scheduled programming. 

Dave Bittner: OpenSSL is patched today. The misconfiguration risk to U.S. government networks' security and compliance. Hacking Ms. Truss' phone. Assistance for Ukraine's cyber defense. Joe Carrigan looks at the latest round of apps pulled from the Google Play Store. Our guest is Matias Madou of Secure Code Warrior on why cultivating a positive culture among security and developer teams continues to fall short. And a quick look at DNS threats. 

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, November 1, 2022. 

OpenSSL patched today.

Dave Bittner: Today, November 1, OpenSSL is releasing a patch for a critical vulnerability in OpenSSL versions 3.0 and above. OpenSSL appears widely throughout the software supply chain, and a number of experts are comparing the vulnerability, which is rated critical, to Log4shell and Heartbleed, both of which affected a wide range of products and their users. 

Dave Bittner: While the OpenSSL Project hasn't released details about the flaw, Akamai notes that observers are taking it very seriously due to the rarity of a critical flaw in OpenSSL. Akamai sees an analogy with Heartbleed, stating, this vulnerability has caused concern in the security community because it is unusual for the OpenSSL team to rate a vulnerability as critical. There has only been one in the past, in 2014 - Heartbleed. When exploited, Heartbleed led to a memory leak from the server to the client or the other way around. 

Dave Bittner: Researchers at Nucleus point out that while the vulnerability may be severe, the threat may not be as widespread as some headlines suggest, since most organizations are still running OpenSSL versions 1 or 2. And, as is so often the case with patches, one can expect threat actors to step up exploitation as they too become aware of the issue and before users apply upgrades and mitigations. So look for vulnerability instances and get patching. 

Misconfiguration risk to US government networks' security and compliance.

Dave Bittner: Misconfiguration remains a source of trouble for organizations of all kinds. And the U.S. federal government would seem to be not that different from the rest of us. Titania has released a study on U.S. federal security practices titled “The impact of exploitable misconfigurations on the security of agencies’ networks and current approaches to mitigating risks in the U.S. Federal Government.” The research shows that network professionals report that they're meeting their security and compliance requirements, but the data suggests that this self-reporting is optimistic. Federal agencies have a larger number of devices on their network, with over 1,000 on average. Fifty-nine percent of respondents say that they assess the configuration of network devices every year, with 12% doing it on a bi-monthly cycle. Seventy-one percent report the effectiveness of their network security tools in categorizing and prioritizing compliance risks, which contrasts with the 81% of respondents that reported that the inability to prioritize remediation based on risk is a top issue. Respondents reported an average of 51 misconfigurations in the past year, with 83% reporting at least one critical configuration issue in the past two years. 

Hacking Ms Truss's phone.

Dave Bittner: Turning to the hybrid war Russia is waging against Ukraine and the cyber-espionage that surrounds it, Moscow has dismissed reports that its intelligence services hacked former British Prime Minister Liz Truss' phone while she served as foreign secretary in her predecessor's government. Reuters reports that Kremlin spokesman Dmitry Peskov dismissed the incident as Fleet Street sensationalist nonsense. Mr. Peskov said, unfortunately, there is a shortage of material in the British media that can be perceived as serious, and we treat such publications as the yellow press. The possibility of Russian cyber-espionage isn't, however, being taken lightly in the U.K., where, according to the Independent, Tories have joined the opposition MPs in calling for a full investigation of the incident. 

Dave Bittner: There are other issues tangential to the possible compromise of Ms. Truss' phone found by spyware that are also arousing concern over in the U.K. They notably include the tendency of office holders to handle official information on personal devices. Suella Braverman, who had been Home Secretary in the Truss government before her r resignation two weeks ago, admitted, the Telegraph reports. She says the material wasn't sensitive and posed no security risk. 

Dave Bittner: The personal is the political, as the New Left used to say. But really, it's not a good maxim for cyberspace. Sure, office-holder, Mr. and Ms. Government Official, you've got your own email and your own stuff at home. And you've maybe got a life outside work too, for all we know. But official business shouldn't wind up comingled with that life. Reserve those personal systems for arranging to test your dog's ancestry with a convenient DNA swab or for buying tickets to the game or - you get the picture. It's like Vegas. As the Rat Pack might tell you, what goes on in the government network should stay in the government network. 

Assistance for Ukraine's cyber defense.

Dave Bittner: The BBC reports that the British government has revealed the extent of cyber assistance it's rendered Ukraine. Aid amounting to some 6 million pounds has been delivered. In the course of discussing the assistance, the government offered a brief appreciation of the state of cyber conflict in Russia's hybrid war. In brief, cyberspace remains heavily contested, even as waves of Russian cyberattacks have not achieved the disruption widely expected at the beginning of the war. Foreign Secretary James Cleverly said, together, we will ensure that the Kremlin is defeated in every sphere - on land, in the air and in cyberspace. The U.K.'s support to Ukraine is not limited to military aid. We are drawing on Britain's world leading expertise to support Ukraine's cyberdefenses. 

Dave Bittner: Lindy Cameron, chief executive of GCHQ's National Cyber Security Centre, said the threat remains real, and the U.K.'s support package is undoubtedly bolstering Ukraine's defenses further. The SVR, FSB and GRU have all been active against Ukraine in cyberspace. And of the three Russian intelligence agencies, the GRU has been the most active. 

DNS threats.

Dave Bittner: Akamai's DNS threat report for the third quarter of 2022 has found that 14% of devices connected with a malicious destination at least once during the quarter. The researchers state, breaking down these potentially compromised devices further, 59% of the devices communicated with malware or ransomware domains, 35% percent communicated with phishing domains and 6% communicated with command and control domains. Akamai also notes that phishing campaigns will increase as the holiday season approaches. So this unfortunate trend will, in all likelihood, see a seasonal upturn. 

Dave Bittner: Coming up after the break, Joe Carrigan looks at the latest round of apps pulled from the Google Play store. Our guest, Matias Madou of Secure Code Warrior, looks at why cultivating a positive culture among security and developer teams continues to fall short. Stay with us. 

Dave Bittner: Think about your average team of developers. Now imagine your security team. Do these two teams get along? Do they collaborate constructively? Is there tension? Matias Madou is co-founder and CTO at Secure Code Warrior, and he shares his thoughts on why cultivating a positive culture among security and developer teams continues to fall short. 

Matias Madou: So the highlights of why we are falling short today is really that developers and security are not really talking. It has improved over the last 10 years, but we need to do better. Security really needs to help developers in today's world. Ten years ago, security could just find problems in code, throw them over the wall, and it was up to the developers to fix them. Today, we really have to help the developers. The developers are the people that write the codes, and we really need to help them. So security really needs to figure out ways on how they can actually empower and help developers in writing security code. 

Dave Bittner: Is there a historical element to this? I mean, in the past, when coders were being brought up and taught their craft, was security not a priority, or was it an afterthought? 

Matias Madou: It does have a history here. Ten years ago, there was really a security department, and all they had to do was find problems in code. That was their job. Their goal was not to make the code better. The goal was not to ship codes faster. Their job was really to find problems in code. So that is really the historical element over here - that 10 years ago, it was not their job. You know, priorities didn't align because the goal of an organization, the goal of a company is to really make a product that developers love. And to do so, we need to really make sure that we have code that is shipped fast without problems. Otherwise, the customers will not be happy. 

Dave Bittner: And so how do you recommend that we do that? I mean, how do we make the security process not be an anchor around their necks, if you will? 

Matias Madou: So first of all, security is outnumbered. If you look at security people per developers, well, there's roughly two security people per 100 developers, which means that they are hugely outnumbered. So the way that we can actually move forward is to bring the developers on the journey. We have to make sure that developers understand that writing security code will actually be beneficial for themselves in the long run as well. They will have to do less rework. They will have to fix less production issues. So in the long run, it's better for everybody to write secure code. Two security people per 100 developers - security needs to essentially empower developers with tools, with training, with knowledge on how to do that. And they can do that through training, for example, where it really has to be training that is relevant to what they're doing on a day-to-day basis. So they need to work on code that is relatable to what they're doing in the real world. 

Dave Bittner: And what about the cultural element here? I mean, how do you ensure that the security folks are collaborating with the developers and that it doesn't become adversarial? 

Matias Madou: From a cultural perspective, it's actually important that security understands that they are outnumbered and that they do not have access to the code. So even if they want to do something, they actually can't. It's the developers. It's the developers that are writing the code. So security has all the benefits to make it work with the developers. 

Dave Bittner: How do you recommend that organizations get started with this? I mean, I'm imagining, for some companies who've been around for a while, this represents a bit of a shift. 

Matias Madou: Oh, absolutely. And the way to get started is to make it a little bit more fun and engaging. If we talk about training and if we talk about security, well, that's not always sexy, you know? So we want to make sure that developers get into it through some more enjoyable way. And the way we can actually start is by throwing a tournament where developers and security come together, and together, they try and resolve problems, and they try and fix problems, but in a way that is a little bit gamified. And you can actually throw some prizes in there so that, ultimately, the developers have a good feeling. Like, hey, you know what? Security can be interesting and it can help the organization. And security, from their perspective, they can collaborate with the developers, and they are - you know, they can be seen as people that can help the developers. 

Dave Bittner: I'm curious. In your experience, has there been a recognition of this - or I'm wondering are new companies - do startups have an advantage here, that they don't have some of that legacy thinking, that they can come at this with a fresh approach? 

Matias Madou: Yeah, I really like that. So in general, it is good to take languages and frameworks that are hardened and that contain features and functionality to create secure code from the start. That's a way - you know, that's a way better approach. So absolutely. If you start with coding, take a framework, take a language that already contains a lot of good security behavior in it. 

Matias Madou: The unfortunate truth is, even if you do that, you quite often rely on open source applications on the open source libraries, and you do not know who created them, when they were created and what the security status is of something like that. So newer companies, they definitely have an edge. Unfortunately, there's still a lot of old software laying around. And we're building on top of old stuff. We're building new stuff on top of old stuff, and we never go back and fix the old stuff. So the unfortunate truth is there's plenty of software laying around that maybe was not even intended to be connected over the internet, right? So unfortunately, not everything is developed with security in mind. And we still rely a lot on legacy software. 

Dave Bittner: That's Matias Madou from Secure Code Warrior. 

Dave Bittner: And joining me once again is Joe Carrigan. He is from the Johns Hopkins University Information Security Institute and also Harbor Labs. Joe, it is great to have you back. 

Joe Carrigan: Thanks, Dave. It's good to be back. 

Dave Bittner: So over on the "Hacking Humans" podcast, we talk about a lot of scams. And this is one that caught my attention. This is from the folks over at ZDNet, article written by Danny Palmer. And this is about some Android apps with over 20 million downloads that have been pulled from the Google Play store. What's going on here, Joe? 

Joe Carrigan: So it's about 15 apps - 15, 20 apps - that have been pulled down. In total, they have 20 million downloads. We'll talk about the most downloaded one in a minute. But what's happening here is that these are ads that have a malware package in them that is adware fraud. So I'm sure everybody who owns a smartphone - this is an Android phone, and I'm an Android user. 

Dave Bittner: Yeah. 

Joe Carrigan: You've downloaded an app that has ads based in it, right? 

Dave Bittner: Sure. 

Joe Carrigan: And you keep getting shown the ads. Well, when you see the ad, the person who wrote the app gets a little cut of money. And if you click the ad, the person who wrote the app gets a little bit more money, right? So some entrepreneurial malware writer said, well, why don't I just click for the user? 

Dave Bittner: (Laughter) We'll cut out the middleman. 

Joe Carrigan: We'll cut out the middleman. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: Why waste time waiting for them to click on ads so I can get more money? We'll just click on it for them. 

Dave Bittner: Sure. 

Joe Carrigan: And this is some really clever malware. First off, it doesn't do anything for like, an hour, right? So you install it and nothing happens for... 

Dave Bittner: Doesn't do anything bad for an hour. 

Joe Carrigan: ...For an hour. 

Dave Bittner: So you... 

Joe Carrigan: Right, yeah. 

Dave Bittner: OK. 

Joe Carrigan: So if there's an app - and there are apps in here that - one is, like, a task manager. One is a photo manager, a photo vault or something. Another is a... 

Dave Bittner: Yeah. 

Joe Carrigan: ...QR code reader... 

Dave Bittner: OK. 

Joe Carrigan: ...Camera enhancers. 

Dave Bittner: The usual suspects (laughter). 

Joe Carrigan: Yeah. Right. 

Dave Bittner: A flashlight app. 

Joe Carrigan: A flashlight app. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: That's another one, yeah. Modern Android operating systems have flashlights included. You don't need a flashlight app anymore. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: But maybe you have an older phone where it works. But the other thing that's interesting is that not only did it wait an hour, but when you were using the phone, it didn't run. It would detect that you were using the phone maybe through, like, the gyroscopic sensor or something. I don't know how it doesn't - the McAfee report might go into that. But if you're using the phone, it would stop clicking on ads for you, which is probably to make your phone more usable. So it's not really all that intrusive for you. 

Dave Bittner: Right. 

Joe Carrigan: But when you put your phone down, it starts clicking on the ads again and making a bunch of revenue for the manufacturer - or the app writer. So... 

Dave Bittner: So in the background... 

Joe Carrigan: In the background. 

Dave Bittner: ...It's doing this. You don't know it's doing this. 

Joe Carrigan: Right. And this has two impacts for the user. No. 1, it sucks up your battery life. 

Dave Bittner: Right. 

Joe Carrigan: Right? And No. 2, it uses data. So if you have a data cap and, like, you go over that data cap, and your phone company charges you per gigabit of data that you use... 

Dave Bittner: Yeah. 

Joe Carrigan: ...You could wind up paying data usage fees for this app. 

Dave Bittner: Right. 

Joe Carrigan: And one of the apps - in fact, the most-downloaded app that I promised we'd get to - has 5 million downloads and promises to tell you which apps are using the data. 

Dave Bittner: (Laughter). 

Joe Carrigan: So I'm sure it doesn't say that, hey, I'm the biggest offender, here. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: (Laughter) It says... 

Dave Bittner: Chef's kiss. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah. 

Dave Bittner: Touche. Oh, wow. Interesting. 

Joe Carrigan: It's - you know, so you can look at this list of - this full list of apps that McAfee has posted and go out and uninstall them immediately. They're no longer available in the Google Play store. Google took them out. You know, I don't know what ad network they were using. It wouldn't surprise me if they were using Google's ad network. In which case, they would - Google would also be profiting from this. But I don't know if that's... 

Dave Bittner: Yeah. 

Joe Carrigan: ...The case. 

Dave Bittner: There are plenty of ad networks... 

Joe Carrigan: There are plenty of ad networks. 

Dave Bittner: ...Out there of varying degrees... 

Joe Carrigan: Correct. 

Dave Bittner: ...Of legitimacy, and (laughter)... 

Joe Carrigan: Correct, yeah. They may have been using one of the shady ones, right? Yeah. 

Dave Bittner: I'm curious. On Android, is there a built-in functionality that you can look at your list of apps and it'll tell you what apps are using your battery or using a lot of data? 

Joe Carrigan: There is. There is the - yes, both of those exist. 

Dave Bittner: OK. 

Joe Carrigan: Correct. And it is in the operating system. 

Dave Bittner: Yeah. 

Joe Carrigan: Yeah. 

Dave Bittner: So good idea to maybe check in on that from time to time and see if your flashlight app is chewing up a lot (laughter) of... 

Joe Carrigan: Right. 

Dave Bittner: ...Both battery and data - that perhaps something is amiss. 

Joe Carrigan: Yeah. One of the most annoying things - I don't know that this is the same kind of thing, but I used to get push notifications from apps, and you wouldn't - I wouldn't know where they were coming from. 

Dave Bittner: Oh. 

Joe Carrigan: But now, Android has made a - has improved to the point where I was getting - I made the mistake of installing Slice because I ordered pizza once with Slice. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: And I love pizza. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: Anybody that looks at me goes, that guy eats a lot of pizza. 

Dave Bittner: OK (laughter). 

Joe Carrigan: But Slice started giving me push notifications, and I went into my permissions and just stopped that from happening. It's... 

Dave Bittner: Right. 

Joe Carrigan: Android has gotten a lot better with that. 

Dave Bittner: Yeah, yeah. I think they all have, you know? I know... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Certainly on iOS as well. You know, there's been a lot of cracking down on that sort of thing. And I think the legit ad networks don't want this to happen as well. 

Joe Carrigan: No, they don't. They - because what's happening there is they're not - what will happen there is somebody will do the analysis on the effectiveness of ad clicks to sales. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right. 

Joe Carrigan: And they'll say that, OK, this ad network doesn't have the same effectiveness of ad clicks to sales as this network does, so... 

Dave Bittner: Right. 

Joe Carrigan: ...I'm going to buy over here. 

Dave Bittner: Yeah, they're not delivering value. 

Joe Carrigan: And that is the metric that the people who buy ads look at... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Right? - is what percentage of - it's called conversion. 

Dave Bittner: Yeah. 

Joe Carrigan: What can - what's my conversion? 

Dave Bittner: Yep, yep. All right. Well, this, again, is from the folks over at ZDNET - an article written by Danny Palmer. Joe Carrigan, thanks for joining us. 

Joe Carrigan: My pleasure. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.