Spectre and Meltdown patches may be messy, but not as performance-killing as feared. AMT exploit. Mobile ICS apps. Monero mining. Badness in the Play Store. Huawei ban? Droning while drunk.
Dave Bittner: [00:00:00:19] We've got a quick favor to ask, if you could head on over to iTunes and leave a review for our Podcast, it would be greatly appreciated. It is one of the best ways to help spread the word about our show. Let people know why you enjoy it, why you choose to subscribe and listen every day. Thanks so much, we do appreciate it.
Dave Bittner: [00:00:19:02] Spectre and Meltdown get more remediations and they may not be as performance-killing as feared. F-Secure says if you leave your laptop alone it could be pwned in 30 seconds. Mobile ICS apps seem to be getting less, not more, secure. Google boots more bad stuff from the Play Store. Monero miners afflict unpatched Oracle WebLogic servers. The US Congress considers a Huawei ban. And New Jersey is considering solving one of its biggest problems: droning under the influence. Sprung from cages on Highway 9 or not, don't try that on the turnpike, kids.
Dave Bittner: [00:00:57:17] A now some notes from our sponsor, Cylance. You've heard of Emotet, the banking Trojan that re-emerged at the end of 2017 to trouble online banking customers. For now, it's hitting financial institutions, mostly in Austria and Germany. But even if you speak English, French, Hindi, Russian, Arabic, Chinese or Hebrew, well, don't get cocky, kid, you're language community could well be in the on deck circle.
Dave Bittner: [00:01:20:22] The new Emotet has a bad new dropper. It knows when you're sandboxing it, and it evades attempts to analyze it. Fortunately, you're in luck no matter where you are, Cylance can protect you. Check out Cylance's blog post about Emotet at cylance.com. That's Cylance. And we not only thank them for sponsoring the CyberWire, but we suggest you head on over to cylance.com for the skinny on Emotet.
Dave Bittner: [00:01:53:15] Major funding for the CyberWire podcast is provided by Cylance. I'm Dave Bittner with your CyberWire summary for Friday, January 12th, 2018.
Dave Bittner: [00:02:03:01] Spectre and Meltdown remain very much in the news. AMD yesterday revised its estimate of how susceptible its chips were to Spectre. The company had at first thought not very, and then, maybe a bit more, but only to one of the two Spectre vulnerabilities. But AMD now believes they're severely affected by both of the Spectre vulnerabilities. They've promised to get a patch out as soon as possible.
Dave Bittner: [00:02:28:05] The other players, notably Intel and Microsoft, but many other vendors as well, continue to work on fixing Spectre and Meltdown. The performance penalty the patches will impose is now becoming clearer, as Ars Technica reports: it's troublesome, but it seems less alarming than initially feared. Initial fears estimated the performance loss at around 30%, but it now seems clear that for most work flows it will be a shade under 10%, which means that most users won't notice much change at all.
Dave Bittner: [00:02:59:08] F-Secure researchers have demonstrated a way to exploit Intel's Active Management Technology that enables them to bypass BIOS and BitLocker passwords. The security company says that it's found that exploitation could let an attacker take control of a device quickly in under 30 seconds. The under 30 seconds is bit of FUD, maybe, however true it might be. We're reminded of the old movie "Gone in 60 Seconds," whose trailer featured the slogan, "You can lock your car but if he wants it, it's gone in 60 seconds." But if it serves as a word to the wise that's all to the good. And there's a point to it, as well. Exploitation requires physical access to the targeted device. And a lot of people tend to pooh-pooh such exploits as just junk hacks. But under 30 seconds means there's the potential of a real threat here. So if you were to leave a laptop alone for an innocently short period of time, a trip to the lavatory, say, if you take those, or if you perch the laptop on the nearby table while you're grabbing something from a buffet line. Or if you leave it unattended in your hotel room where an evil maid could reach it. Or if you ask that friendly fellow-traveler to watch it for a minute while you step out for a smoke. Your device could be pwned in 30 seconds.
Dave Bittner: [00:04:11:09] Yes, we know, you wouldn't do any of those things. And yes, we know you don't smoke either. But, you might ask about such things for a friend. So here's what that friend should know.
Dave Bittner: [00:04:23:08] Intel AMT is built into Intel CPUs so that the system administrators can monitor, update, upgrade, or otherwise maintain personal computers on their network. If you leave your device unattended, someone could press control-P during boot-up, select the Intel Management Engine BIOS Extension for the boot-up routine, and so bypass various logins. Sure, there's a password for that Extension, but alas most organizations leave the factory default in place. That default is the not so very hard to guess "Admin." Once "Admin" is in, "Admin" can have their way with the machine.
Dave Bittner: [00:05:00:01] There are a few things your friend could do. First, configure AMT so it requires an actual password. Second, don't leave the laptop lying around in, say, a Port Authority, or on a side table in Hobo Joe's River Creek Crab Shack. And third, if they don't need it, they might just disable AMT on their device.
Dave Bittner: [00:05:20:16] IOActive and Embedi have identified 147 vulnerabilities in 34 mobile applications that are widely used to interact with industrial control systems. The 34 Android applications tested were randomly selected from the Google Play Store. Here's what the researchers found: code tampering in 94% of the apps, insecure authorization in 59%, reverse engineering in 53%, insecure data storage in 47%, and in 38%, insecure communication. This is all worse than what they found in a comparable study during 2015. There's been an average increase of 1.6 vulnerabilities per app.
Dave Bittner: [00:06:02:07] Google has ejected more malign apps from the Play Store. One, a phony Telegram app, is a spamming tool. The others, some 60 of them, are infected with "AdultSwine" malware that serves up indecent, graphic ads to, among others, children.
Dave Bittner: [00:06:18:14] Monero miners are being installed in unpatched Oracle WebLogic servers. If you operate one or more of those, please do patch it. The up-to-date versions aren't being exploited.
Dave Bittner: [00:06:31:01] The US Congress is considering legislation that would bar Federal contractors from using Huawei equipment. The concern is security, and it looks as if Congress may be leading Huawei down the same path they took Kaspersky.
Dave Bittner: [00:06:44:20] Remember, GDPR, like winter in the Game of Thrones, is coming. The White Walkers… oh, actually we mean the EU officials, say people are good and lucky that Spectre and Meltdown didn't come to light after GDPR came into full effect this coming May. If they had, then some companies would have been facing fines. So remember, winter is coming… this May.
Dave Bittner: [00:07:10:03] And, finally, to all of our friends and listeners up in the Garden State, take care and beware. New Jersey is considering passing a law against drunk droning. That's right, if you're in, say Teterboro or South Hackensack with a blood alcohol level of 0.08% or worse, put down that quadcopter and just walk away. So, enjoy your Bolero Snort Blackhorn, but enjoy it responsibly. Don't be like that guy in Norway who was drunkenly bothering moose, or the Florida droner who buzzed alligators when he was tipsy. Leave those raccoons, bears, whatever, alone.
Dave Bittner: [00:07:49:10] And now a moment to tell you about our sponsor, ThreatConnect. On Tuesday, January 23rd, at 10am Pacific and 1pm Eastern time, they're teaming up with DomainTools for a webinar on mapping connected infrastructure. As you know, the more information you have about a potential threat, the better you can defend against it. And in order to stay ahead of malicious actors, it's crucial that security teams add context and enrichment to their threat data. The combination of the ThreatConnect, threat intelligence platform and DomainTools Iris investigative platform, empowers security professionals to hunt APTs efficiently and effectively.
Dave Bittner: [00:08:26:11] Join director of Product Integrations at DomainTools, Mark Kendrick, and Threat Intelligence Researcher at ThreatConnect, Kyle Ehmke, to learn how the same techniques can help network defenders and incident responders efficiently protect their own organizations. In addition, get an inside view into how ThreatConnect and DomainTools work together to enable thorough domain actor and IP investigations. Sign up today at threatconnect.com/webinar. Once again, that's threatconnect.com/webinar. And we thank ThreatConnect for sponsoring our show.
Dave Bittner: [00:09:07:04] And joining me once again is Johannes Ullrich from the SANS Technology Institute, and the ISC StormCast Podcast. Johannes, welcome back. You know, we've just made our way through our holidays, and some people have been getting gifts and maybe re-gifting some of those gifts. So, you have some security tips when it comes to that.
Johannes Ullrich: [00:09:24:24] Yeah, one of the issues of that that we keep seeing popping up around the holidays is computer equipment, your speed drives, and in one case, actually, also things like USB picture frames that come pre-installed with some additional goodies. We sort of call them the certified pre-pwned kind of gifts that you can gift to your family.
Dave Bittner: [00:09:49:20] [LAUGHS] What kinds of things do people have to be careful of? And how can you know if something that you've received has something bad on it?
Johannes Ullrich: [00:09:58:09] The safe thing to do is whenever you receive something, even if it's shrink wrapped in many cases, clear it out. Do a factory reset before you connect it to any of your systems. And, essentially, treat it as sort of as a hostile USB drive. Just like you wouldn't pick up a USB drive that you find on a sidewalk. Essentially, these devices, you know, cameras and everything that connects to your speed connector on your PC, behaves kind of like a USB drive. So, you may start inadvertently software that someone has pre-installed.
Johannes Ullrich: [00:10:38:01] We have seen a number of cases, for example, where in the factory malware was installed because a quality control system was infected. But, sometimes what is also happening is that someone tries out a product, probably infects it, and then returns it to the store. And the store sometimes puts it back on the shelf without wiping the system. So, it may already have a data that whoever used it last, put on it and, well, that data is not always beneficial to you.
Dave Bittner: [00:11:12:18] What about, you know, giving devices like this access to your WiFi network? A lot of them request that. Should we segment the network to protect ourselves against them?
Johannes Ullrich: [00:11:23:19] That's of course ideal if you can do it, and a lot of people can't necessarily do it. But, many of, even a home network access points, have like a guest network that you can used for that. So, connect to a guest network first. And then, again, you do a factory reset first and download the latest firmware. If there is an update for it, and often there is, because these devices have been sitting on the shelf for a while. So, you know, get it configured, get it set up, become a little bit comfortable with the device. If you have the capability, by all means, look for traffic going in and out from a device. I had, a year or so ago, a little weather station that sent my WiFi password back to the manufacturer. So, you certainly want to be a little bit careful depending on how much you want to geek out with this. But, the more checking you can do it the better.
Dave Bittner: [00:12:20:06] Alright, good advice as always. Johannes Ullrich, thanks for joining us.
Dave Bittner: [00:12:29:02] And now a moment to tell you about our sponsor, Control Risks. As your business expands and diversifies, so does your exposure. Your strategic partnerships, supply chain, and service providers help keep your business competitive. But, in an interconnected and increasingly regulated environment full of third party compromises, their risk can become your problem. It's critical to understand how protecting your system's data and reputation require vetting and visibility beyond your own environment. Control Risks uses its uniquely global reach, local experience, and multidisciplinary expertise to help clients identify and mitigate third party risk. From cyber due diligence assessments, and jurisdiction specific regulatory reviews, to compliance and third party management program development.
Dave Bittner: [00:13:17:15] As you seize opportunities to grow, let Control Risks be your first trusted partner to ensure third party relationships are an asset to your business, not a liability. Find out more at controlrisks.com/cyberwire. That's controlrisks.com/cyberwire. And we thank Control Risks for sponsoring our show.
Dave Bittner: [00:13:48:04] My guest today is Phil Reitinger. He's the President and CEO of the Global Cyber Alliance, a non-profit founded in 2015. Previously, Mr Reitinger was appointed to serve as the Deputy Under Secretary for the National Protection and Programs Directorate, and the Director of the National Cyber Security Center in the US Department of Homeland Security. Prior to that, in the private sector, he was Sony's Senior Vice President and Chief Information Security Officer, from September 2011 to September 2014.
Phil Reitinger: [00:14:18:03] We're headquartered in New York City and London, but unlike a lot of other bodies, we don't do reports and recommendations. Our focus is on actually implementing measures to reduce systemic cyber risk. So, our goal is to find a problem where there appears to be a solution that's not being broadly deployed. And then we bring the right coalition of people and resources and capabilities together, to see if we can drive actual implementation of that solution and then measure how effective it is. So, we try to solve problems, one problem at a time.
Dave Bittner: [00:14:54:17] So, the fact that you're a non-profit, how does that benefit your efforts?
Phil Reitinger: [00:15:01:00] It means that we're not out in the game to try and build a market. We're trying to get solutions out there, which lets us work with other non-profit entities, with governments and with private sector companies who may have their own interest. For example, one of the things we've done is work very strongly to drive global deployment of an email authentication protocol called DMARC, that can stop spoof email phishing in its tracks. So, there are companies that work in that space, there are a lot of entities that depend on DMARC, and governments can deploy it too. And being a non-profit, we're not in there to make a business long term. We're just in there to try and get everybody to deploy this, so people can be safe from phishing.
Dave Bittner: [00:15:46:10] I mean, take us through the methods that you use. Do you have developers working in-house? Or are you partnering with other people?
Phil Reitinger: [00:15:54:10] So we partner with about 200 different companies and government entities, and non-profits around the world. So, we rely a lot on contributions from them. But, again, unlike a lot of nonprofits, we do have a development shop. So, we don't have to depend on other people to write the code for us, we've got a group of people, if a solution needs code, who can write the code. So, for example, one of the things we did in DMARC is to try and make this email authentication mechanism easier to deploy, is we built a wizard that can take you through the process of deploying, not only it, but the other protocols, like SPF, on which it depends. So, we wrote the code that does that, and we're able to get that out there and make it available to everyone. And we're able to do it as the global cyber alliance in an international way. So, that wizard is now available in 13 different languages.
Dave Bittner: [00:16:47:10] And you have an interesting origin story. Your original funding came through New York, I believe? And it was some civil forfeiture money, yes?
Phil Reitinger: [00:16:56:03] That's right. Originally funded. Our seed money, if you will, is from the Manhattan District Attorney's Office, which allocated to us seed funding of up to $5 million a year for up to five years from asset forfeiture funds. So, money that was taken as a part of a fine is being used to help prevent cyber crime. And the reason the Manhattan District Attorney, along with our other two co-founders, the Center for Internet Security, and the City of London Police, founded us is, you know, all of them have become convinced that we can't sort of deter our way out of this crisis. You know, prosecutions and threats alone are not going to get people to stop hacking. We've actually got to do a much better job of preventing cyber crime. And so, the DA who, is the principal funder, Cyrus Vance Jr. of the Manhattan District Attorney's Office, wanted to invest some of the money from proceeds of crime into trying to prevent crime.
Dave Bittner: [00:17:56:06] One of your focuses since your start up, has been phishing. It strikes me with phishing being such a human factor, the ability to fool people into clicking onto things that they shouldn't click on. What's your approach to trying to tackle the phishing issue?
Phil Reitinger: [00:18:14:12] Phishing obviously takes a number of different approaches. The way we think about issues is, you know, training I think is important for people. But, you're never going to train your way out of the phishing crisis. You know, about, well over 90% of intrusions start with a phishing attack. And phishers have gotten so good, and I'm sure you've seen this, they can produce phishing emails that fool the strongest experts. So, our approach is, on any project, to try and build protections into the ecosystem, if you will, so that you get security with connectivity. That, you don't have to do anything extra special, you can just enable something and then go forward. So, what DMARC does is DMARC is sort of a technical means that if your web-mail provider, or your email provider, has deployed it, and chances are very, very good that it has, and the company sending your email has deployed it, then you can't get spoofed from that company anymore.
Phil Reitinger: [00:19:14:13] So, if your bank has deployed DMARC, you know, it doesn't matter whether you get a really good phishing email, or not. If it is stated to come from, you know, bank.com, the bank that you are using, and they've deployed DMARC, then, you know, if they've done it right way, and your provider's done it the right way, that email will go straight to trash, or be marked as spam, regardless of anything you do. The other thing we did is build with several partners, including Packet Clearing House and IBM, build a global unicast DNS infrastructure, that's now operating under the name Quad9. So, if you've heard about Quad9, we were one of the builders and founders of that. That operates on a notion. For example, lets say you click on a link in a phishing email that you should not have. If that takes you to a bad domain, and Quad9 knows it's a bad domain, and it knows a lot of things are bad domains, then you simply don't go there. You get what's called an in-ex domain, you are not routed to the bad site. So, despite that you've made a mistake, you're not taken to the phishing site, or malware is not downloaded.
Dave Bittner: [00:20:24:15] So, it's sort of protecting the users from themselves, as an intermediary, if you will?
Phil Reitinger: [00:20:29:22] Very much. You know, automatic protection is required, and, you know, it's not because users who don't know better make mistakes. It's because everybody makes mistakes, you know, we're humans. We've actually gotten so much better in the physical ecosystem at building protections in. When you buy a car in the US, you get seat belts and you get air bags, and that's true around the world. We've got to put the same sort of protections on the Internet. So, people who are not cyber security professionals, can be reasonably secure, even if they're not paranoid. And right now it really takes paranoia.
Dave Bittner: [00:21:07:22] So, in terms of success, how do you all measure if the job that you're doing is making a difference?
Phil Reitinger: [00:21:14:11] We're continuing to work on that. Right now, we measure what we can. So, for DMARC, the thing that we measure the most right now is how many people use our wizard to deploy DMARC. And that's been about 3,000 domains, that have taken a look at our wizard, and then deployed DMARC at an effective level. Our calculations. So, that's a very effective return on investment. We're also looking at how broadly we're affecting the ecosystem, which is hard to tie directly to us, but we're part of a coalition. So, you know, one of the things that happened recently that we're very pleased with, is the US government actually required all civilian government agencies back in October to use a part of number of different things deploy DMARC. And so we're measuring how far along Homeland Security and all of the departments and agencies in the US are coming towards getting to that conclusion. And they're roughly about halfway there, with a week and a half to go, to meet the first deadline. So, they've got a long way to go, but they're making much better progress than they did before.
Phil Reitinger: [00:22:21:19] For things like DNS, you know, we can measure how many things we block, how many calls to the service we're getting. And right now, Quad9, thanks to the publicity from the launch back in November in how effective the service is, is not only getting rave reviews, its usage is taking off around the world.
Dave Bittner: [00:22:41:01] So, in terms of partnering with people, who are you looking to reach out to, and what's the best way for them to get in touch with you?
Phil Reitinger: [00:22:47:22] We're looking to partner with entities that really want to put some effort into working on cyber security and solving real issues. So, you know, we're not a talk shop. We've done an event or two, but, you know, that's not what our core business is. Our core business is actually implementing these things that solve problems. We are happy to have people come and join as a partner. We're actually not a pay to play organization. So, we accept partners regardless of ability to pay, as long as they want to invest resources, whether it's expertise, or help with publicity, into the effort. We do ask people, entities that want to join, to put some effort in. And, of course, we'd love to have contributions. Anyone who can make a real difference, and wants to work on these issues and solve problems, is welcome to join. To get more information, you can visit our website, which is www.globalcyberalliance.org. And you can get more information by sending an email to firstname.lastname@example.org.
Dave Bittner: [00:23:51:13] That's Phil Reitinger from the Global Cyber Alliance.
Dave Bittner: [00:23:57:17] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com.
Dave Bittner: [00:24:10:13] And thanks to our supporting sponsor, E8 Security. Follow the behavior, find the threat. Visit e8security.com to learn more.
Dave Bittner: [00:24:19:20] The CyberWire podcast is proudly produced in Maryland, out of the start up studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology.
Dave Bittner: [00:24:29:05] Our show is produced by Pratt Street Media. With editor John Petrik. Social media editor Jennifer Eiben. Technical editor Chris Russell. Executive editor Peter Kilpe, and I'm Dave Bittner. Thanks for listening.