Iranian reconnaissance of critical infrastructure? Leaky banking apps. Microsoft's emergency patch. Ghosts of the Caliphate threaten, but have yet to deliver. New horizons in biometrics.
Dave Bittner: [00:00:00:05] As always a big thank you to all of our supporters on Patreon. It's at patreon.com/thecyberwire. Maybe today is the day that you will become a supporter of the CyberWire. We do appreciate it.
Dave Bittner: [00:00:14:00] FireEye warns of patient reconnaissance on the part of the probably Iranian APT34. The Electronic Ghosts of the Caliphate have so far failed to say "boo," except maybe in South Jersey. Flaws are discovered in mobile banking apps. A bike-sharing service leaked data. Bitcoin's bubble. Microsoft patches its Malware Protection Engine. And biometrics have come to the beagles, your pet door can now recognize Rover or Boots, and let them on in. Their raccoon pals stay outside.
Dave Bittner: [00:00:48:17] Now I'd like to tell you about a White Paper from our sponsor, Delta Risk. More than 90% of companies are using the cloud. Although the benefits are clear, moving to the cloud comes with new and unique security challenges. In the White Paper, Understanding The Challenges Of Cloud Monitoring And Security, Delta Risk cloud security experts outline the key methods organizations can adapt to gain clearer visibility into their network and critical assets. You can get your copy of the White Paper by visiting deltarisk.com/whitepapers-cloudmonitoring. Delta Risk LLC, a Chertoff Group company is a global provider of cybersecurity services to commercial and government clients. Learn more about Delta Risk by visiting deltarisk.com. And we thank Delta Risk for sponsoring our show.
Dave Bittner: [00:01:46:16] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, December 8th, 2017.
Dave Bittner: [00:01:56:03] Iranian threat groups, Charming Kitten among them, the group associated with hacking HBO, have attracted more attention this week. More serious than hacking a television show are reports of Tehran's hackers having made quiet inroads into compromising Western infrastructure, especially the US. No major attacks are reported, but security organizations have their eyes open.
Dave Bittner: [00:02:18:24] FireEye has been tracking the Iranian threat group they call APT34 since 2014. Its activities have affected targets in the Middle East, and it appears to be continuing its patient, quiet reconnaissance of infrastructure targets. Iranian cyber operators are believed responsible for attacks on US infrastructure in the past, notably financial services targets and, far less serious in effect but arguably more disturbing in its implications, the small Bowman Street flood control dam in Rye, New York.
Dave Bittner: [00:02:50:00] FireEye says its attribution of APT34 to Iran is an assessment of "moderate confidence." The group has modified its approach to take advantage of new exploits and vulnerabilities as they are discovered. It has used malicious Excel macros and PowerShell exploits to move within networks, and it's also shown some extensive social engineering chops in social media, where it's used bogus or compromised accounts to get close to the organizations it's targeting. FireEye says in its report, that they are a capable group that seems to have access to its own development resources. FireEye concludes, quote, "We assess that APT34’s efforts to continuously update their malware demonstrate the group’s commitment to pursuing strategies to deter detection," end quote.
Dave Bittner: [00:03:35:20] There are other threat actors with Middle Eastern connections who don't show the capabilities of the APTs that appear to be operating from Iran. Prominent among these are the various hacktivist cells faithful to ISIS, who can be expected to step up their threats as the Caliphate's territory has now effectively vanished. ISIS hacktivists and official online media have excelled at recruitment and inspiration, and these have been dangerous, and the source of much suffering. But proper hacking hasn't advanced much beyond low-grade vandalism of poorly secured sites. You've seen the sort of thing, an online card catalog for a public library, say in Lower Crabcake, Maryland, is vandalized to show a gif of the White House in flames, stuff like that.
Dave Bittner: [00:04:19:19] So today is the day ISIS promised to bring America to its knees with a massive cyberattack. A video posted by adherents of the terrorist group promised, "We will face you with a massive cyber war...Black days you will remember." The specific group making the threat was the "Electronic Ghosts of the Caliphate" or the "Caliphate Cyber Ghosts," but as we publish today the only sign of ISIS hacking appears to have been some defacement of the Gloucester Township website. We believe this is the Gloucester Township in southern New Jersey. "The lions of the Caliphate will be at your door" is what Fleet Street's Daily Mail reported was said, but when we looked it all seemed in order. The mayor's picture was up, and he's smiling and looking good. We can't even confirm what the Daily Mail reported, and if you're the Gloucester Township at whom the lions of the Caliphate roared, let us know.
Dave Bittner: [00:05:09:19] Researchers at the University of Birmingham report finding flaws in a banking security app that expose the data of millions of bank customers to credential theft. It's a vulnerability that opens the apps to man-in-the-middle attacks. The apps' cryptographically signed certificate seems to have failed to verify the server's hostname when the app connected with it. Man-in-the-middle attacks could intercept usernames and passwords during online banking sessions, and these could lead to account hijacking and of course theft. Fixes are for the most part in, accompanied by much tut-tutting from the security industry about slipshod app development.
Dave Bittner: [00:05:47:03] It's not just gig-economy ride sharing outfits who have to deal with leaks. It's bike-sharing operations, too. oBike, the widely used bicycle-sharing app, is investigating a leak that may have affected users in some 14 countries. This one appears to have come from a gap in oBike's API, one intended to allow users to refer friends to the service. The information exposed was relatively benign as such information goes, names and ride locations, not passwords or credit card numbers, but the exposure is still unsettling.
Dave Bittner: [00:06:20:14] Bitcoin and other cryptocurrency prices are way up in a major speculative bubble, and criminal attention is enthusiastically keeping pace. Why are people saying "bubble?" Because the price of Bitcoin jumped from $12,000 to $15,000 this week, with comparisons being made to the tulip bubble of 1636, which crashed spectacularly in February of 1637. If you're one of those who takes historical lessons seriously, get a copy of "Extraordinary Popular Delusions and the Madness of Crowds" from your library. If you're one of those who thinks history is bunk, well, perhaps you'd be interested in an investment in Voppercoin, available at most of the Burger Kings in greater Moscow.
Dave Bittner: [00:07:01:17] Microsoft has issued an emergency out-of-band patch to its Malware Protection Engine. It's a remote code execution flaw present in Windows Defender, Microsoft Security Essentials, Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016. A memory corruption error in the malware scanner is what opens the door to exploitation.
Dave Bittner: [00:07:24:12] And finally, biometrics has come to the beagles. If you've been worried about some random animal walking in and out of your house via the unsecured pet door without so much as a by-your-leave, Redmond may have a solution for you, a pet door that acts like a bouncer on a Studio 54 rope line. The Microsoft solution recognizes your pet's face, letting in Snoopy and Garfield, but keeping out Tom, Jerry, Marmaduke, raccoons, opossums, squirrels, wombats, mongooses, and so on.
Dave Bittner: [00:07:55:08] We're a BYOD shop here, bring-your-own-dog, so naturally this caught our eye. There's an emphasis, an overemphasis we might say, on cats, but we assume that the system works with other pets as well, dogs, iguanas, rabbits, skunks, chameleons, hamsters, ferrets, hermit crabs, the whole Ark-full. Why shouldn't it? You'd think that Microsoft's experience with Tay-the-teenage-AI's misspent adolescence would have taught them to be properly inclusive, and hold the door open for your companion chuckwalla or pet periwinkle.
Dave Bittner: [00:08:29:23] Now I'd like to share a message from our sponsor, Nehemiah Security. Fellow cybersecurity leaders, when your CEO asks department heads for a status update, do you envy your colleagues, like the VP of Sales, or CFO, who only have to pull a report from a single system? Instead of deploying a team of people to check multiple systems and then waiting for them to report back, do you wish you had a single place to get the information you need to communicate with the CEO? Nehemiah Security is here to put that power in the hands of the cybersecurity leader. It's time for a quick solution that allows you to go to one place to get the security information you need, quickly, and in business terms your CEO can understand. Nehemiah Security gives cybersecurity leaders the ability to report cyber risk, in terms of dollars and cents. Visit nehemiahsecurity.com to learn more and get a free customized demo just for CyberWire listeners. Visit nehemiahsecurity.com today. That's n-e-h-e-m-i-a-hsecurity.com. And we thank Nehemiah Security for sponsoring our show.
Dave Bittner: [00:09:40:04] And joining me once again is Chris Poulin. He's a Principal and Director for Booz Allen's Dark Labs, where they focus on IoT security and machine intelligence. Chris, welcome back. You know, our editor, here at the CyberWire, John Petrik, recently came back from an ICS conference, I believe it was in Atlanta, and he made the observation that the IT people seemed to be optimistic about security, but the operational people seem to be pessimistic about security. What's your insight on that?
Chris Poulin: [00:10:09:11] Huh. So it's-- It is interesting because another trend that we've been seeing is that IT and OT has been converging for a while. So, you know, five, ten years ago it was, let's separate these things and have a air gap and interestingly the CISO, who's traditionally overseeing the IT side, is now being given the purview over the OT side as well. However, not necessarily the authority because, if you think about it, the OT side, in many businesses, is where the money is made and so any downtime on the OT side often means direct impact on revenue. And so what ends up happening is that the CISO doesn't necessarily have authority, even though he or she has purview over it. But the thing that the plant operators know is that those systems on the OT side of the house are fairly fragile. You can't just go in with an IT vulnerability scanner and scan the whole thing. In fact you can't even ping the whole-- You can't ping those things. Many cases, they'll just plain old fall over.
Chris Poulin: [00:11:09:17] And so, you know, to some extent that's one of the fears, is that the IT side is going to come in and just sort of tromp through the living room with muddy boots, you know, they don't really understand OT. And one of the things that's kind of interesting about it is that there's-- The language is not the same, either. So for example, in IT we talk about cybersecurity, we all know what we mean, you know, it's-- And it's important and we take it seriously and that's taken some years, by the way, to get to where we are now. On the OT side, they don't talk about cyber in that sense, because the most important things are availability, so having continuous uptime, and safety, and then tertiary is compliance, you know, regulatory compliance. So when you start talking about cyber, they don't necessarily make-- It sounds like an IT term to a lot of the plant operators, and they don't necessarily equate that with what's important to them which is availability and safety.
Chris Poulin: [00:11:59:09] And so I think that's one of the things that needs to happen is that the IT side needs to become a little bit more familiar with what happens on the OT side, and starts speaking the same language. And then I believe that this, you know, this trend will start to temper out a little bit, right, and then they'll start to come together which is-- If you go in as an IT person and say, we understand what you're doing, we understand how important it is to the business, we understand availability and safety and we want to help you, because cyber actually impacts those things then I think that's when we'll all sort of come together and OT and IT will finally converge and everybody will become one. Kumbaya.
Dave Bittner: [00:12:42:06] We can all hope, right? If only it were that easy. Chris Poulin, thanks for joining us.
Chris Poulin: [00:12:47:15] Yeah, thank you once again.
Dave Bittner: [00:12:52:19] Now I'd like to share an important upcoming opportunity from our sponsor, Cybric. On December 12th, DevSecOps experts from global payment solutions provider VISA and Cybric with the first of its kind continuous application security platform are teaming up for a webinar to talk Enterprise Cyber Threat Survival. How can you protect your organization against the devastating breaches you hear about all the time in the CyberWire? Swapnil Deshmukh, Senior Director of Emerging Technologies and Security for Visa, and Mike Kyle, CTO at Cybric, will weigh in. They'll talk about how rapid innovation and continuous delivery via DevOps exposes organizations to a constant evolving cyber threat, and how seamlessly embedding continuous security within existing ecosystems will enforce security across production environments.
Dave Bittner: [00:13:40:17] Join them for this insightful and information-packed webinar on December 12th, 2017 at 1pm US Eastern Time. You can learn more, and register today, at thecyberwire.com/cybric. That's thecyberwire.com/c-y-b-r-i-c. And we thank Cybric for sponsoring our show.
Dave Bittner: [00:14:09:13] My guest today is Adam Segal. He's Director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, where they've recently launched an online cyber operations tracker.
Adam Segal: [00:14:21:08] The Council is a nonpartisan independent foreign policy think tank. We take no official positions and no government money and our mission is to educate the American people about foreign policy issues that will affect them and hopefully help create better policies to pursue American interests.
Dave Bittner: [00:14:46:19] So you all have taken on this task of tracking state-sponsored cyber operations. What led you to taking this on?
Adam Segal: [00:14:54:04] So I think we felt like there was growth and interest in state operations just because of all the reporting about hacking, but there was a lot of, I think, confusion about what the states were doing, why they were doing it? Who was involved? Just because of some of the inconsistencies in reporting across events.
Dave Bittner: [00:15:16:23] And so what is your approach to this tracking system?
Adam Segal: [00:15:20:18] We have tried to collect every publicly reported operation that has sort of multiple sources, both media and cybersecurity and other governments. We've tried to find more than one report for an event and then publicly list them. We realize the data is going to be incomplete. Probably lots of operations have happened but have not been either tracked by companies or governments or haven't been reported. And so, actually, on the website, we also have a reporting function, so people in the industry or others can help us-- Point out things that we've missed.
Dave Bittner: [00:16:05:05] What do you see taking place in terms of the evolution of the role of cybersecurity in geo-politics?
Adam Segal: [00:16:12:10] Looking at the time line we see the vast majority of attacks are espionage. And so states were using cyber operations primarily to collect information on adversaries or on activists and civil rights groups and then a huge chunk of that was also Chinese threat actors collecting intellectual property or business secrets for the competitive advantage of Chinese firms. As you move through the timeline, in particular over the last two or three years, you start seeing a decline of the Chinese operations, in part driven by the agreement between the United States and China but also a slow uptick on more disruptive and destructive attacks, data destruction, ransomware and other operations.
Dave Bittner: [00:17:11:02] Do you see this being a situation where ultimately we're going to have to have thinks like treaties, that will take care or address cybersecurity issues?
Adam Segal: [00:17:19:18] Yeah, so there, there's been a large push, driven in part by the United States, to develop norms, or rules of the road for cyberspace. I don't think treaties are very likely, just because, you know, most of our arms control treaties are based on some forms of control and verification, right? We can count how many nuclear missiles there are or how many ICBMs there are. We can inspect factories. None of that's going to be available in the malware space. You can't really inspect and make sure people are not developing weapons. So we're going to have to come up with some kind of shared agreements upon what is considered legitimate behavior. I think that's going to be very, very hard to do, for everything under a use of force or an armed attack. So, right now, it would be fairly clear to respond, so if a cyberattack caused physical destruction or death, the United States has stated that it would act like it would for any other type of physical attack that caused destruction or death.
Adam Segal: [00:18:23:13] So we might get some agreements with the Russians or the Chinese in that space, because neither of those countries really want a cyber engagement to escalate to physical conflict. We may decide that certain types of critical infrastructure should be off limits or at least have some greater understanding of what a threshold for use of force might be. The problem is, is that everything below that line, espionage, DDoS attacks, doxing, information operations, all those other areas where states are most active, that's going to be very, very difficult to get any type of agreement, and I think it's very unlikely.
Dave Bittner: [00:19:01:15] It strikes me that nations have been reticent, the United States in particular, has been reticent to, to draw any lines in the sand when it comes to those flavors of cyberattacks.
Adam Segal: [00:19:15:11] Yeah, I think that's right. I think states have been pretty reluctant, generally, because nobody's really sure how the capacities are going to develop and how important they're going to be, and so nobody wants to restrain themselves before they know. But I think also, you know, for the US, this new revelation certainly suggest that the US is pretty good at espionage, and conducting these operations, and so it has not been interested in having a broader treaty. The Russians and Chinese have said, well, these are-- It's a new technology, we need to have new treaties. And their definition of cybersecurity is more expansive and includes what the Chinese and Russians would call information security so the concern about content, and the free flow of information and so it's been very hard for the US to come up with some shared definitions below the threshold of an armed attack.
Dave Bittner: [00:20:10:06] That's Adam Segal from the Council on Foreign Relations. You can learn more about their cyber operations tracker by visiting their website cfr.org and searching for cyber.
Dave Bittner: [00:20:24:15] That's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you, they use artificial intelligence, check out cylance.com.
Dave Bittner: [00:20:38:18] The CyberWire podcast is produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:20:47:06] The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik. Social Media Editor is Jennifer Eiben. Technical Editor is Chris Russell. Executive Editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.