Phishing campaign targets Israeli scientists. Low-level contract phishing in China's hinterlands? Apps with privacy flaws. Cisco patches ASA products. Cryptocurrency speculation and fraud.
Dave Bittner: [00:00:00:21] Thanks to all of our Patreon supporters for helping us keep the doors open, you can find out how you can become a supporter by visiting patreon.com/thecyberwire.
Dave Bittner: [00:00:12:17] There are possible Charming Kitten sightings. Phishing in Tibet shows just how successful cheap skid labor can be. Cisco patches a serious flaw in its VPN products. The fitness app Strava says it will work to close privacy holes. Experts say you're just a tap away from giving yourself away and it's not just Strava, not by a long shot. South Korea considers how cryptocurrency might be regulated. The US SEC shuts down an allegedly fraudulent ICO. And what do you call an ICO that steals the price of a cheap seat?
Dave Bittner: [00:00:50:08] Time for a few words from our sponsor, Cylance. You've probably heard of next generation anti-malware protection and we hope you know that Cylance provides it. But what exactly is this next generation and why should you care? If you're perplexed, be perplexed no longer because Cylance has published a guide for the perplexed, they call it next generation anti-malware testing for dummies, but it's the same principle, clear, useful and adapted to the curious understanding. It covers the limitation of legacy anti-malware techniques and the advantages of artificial intelligence and why you should test for yourself, how to do the testing and what to do with whatever you find. That's right up my alley and it should be right up yours too. So check it out at cylance.com. Take a look at next generation anti-malware testing for dummies, again, that's Cylance and we thank them for sponsoring our show.
Dave Bittner: [00:01:50:13] Major funding for the CyberWire podcast is provided by Cylance, I'm Dave Bittner with your CyberWire summary for Wednesday, January 31st, 2018.
Dave Bittner: [00:02:01:20] Hackers thought to be associated with Iran have been phishing Israeli nuclear scientists. The bait consists of links to bogus British news sites. The links were to the fictitious "British News Agency," a false flag that hitherto had been flown in phishing expeditions against Iranian dissidents, human rights activists, academics with a scholarly interest in Iran, media personalities and the like. Researchers at the Israeli cybersecurity company ClearSky attributed those earlier efforts to the threat actor called "Charming Kitten" which ClearSky said was Iranian, and "state-sanctioned."
Dave Bittner: [00:02:37:15] The latest round of phishing that targeted Israeli scientists is also being attributed to Charming Kitten, but of course this is early and attribution is notoriously both circumstantial and difficult. A quick taxonomic note: threat groups associated with Iran tend to have feline names, presumably by association with Persian cats. Those associated with Russia are bears, those with China are often pandas.
Dave Bittner: [00:03:03:14] Phishing in the interest of state security can be done cheaply and without much skill. The University of Toronto's Citizen Lab has a report on a campaign directed against "members of the Tibetan community." For just a little more than a thousand bucks and some pretty ordinary web development and sysadmin tools, the phishers successfully spied for 19 months. Citizen Lab with commendable modesty and reticence doesn't offer any attribution, but it's been easy for observers to connect the dots and speculate on the basis of the campaign's target list.
Dave Bittner: [00:03:35:19] The targets include Tibetans, to be sure, but also members of China's minority Muslim population and adherents of the Falun Gong religious movement, a movement not in good odor with the government in Beijing. All of this suggests a Chinese government operation, or at least one closely aligned with the government's interests. Citizen Lab suggests the actors may be "low-level contractors," but it's unclear who gave them the targets or how that hypothetical customer consumed the information the contractors delivered. It's a cautionary tale of phishing. The attackers spent just over a thousand dollars on infrastructure and another $190 to rent some servers, but with this they were able to compromise enough email accounts to successfully phish for more than a year and a half.
Dave Bittner: [00:04:23:04] Cisco has patched serious vulnerabilities in its VPN offerings, specifically in ten products that run Cisco ASA. Users are advised to apply the patches as soon as possible to avoid the possibility of remote code execution. The flaw is a dangerous one: it received the most severe CVSS score possible, that's the Common Vulnerability Score System rating: ten out of a possible ten. Successful exploitation could result not only in remote code execution, but in denial of service as well.
Dave Bittner: [00:04:56:10] It seems like it might take a while for things to calm down with regard to the Meltdown and Spectre vulnerabilities with patches being released and pulled for desktop operating systems. There's less talk on the mobile side, so we checked in with JT Keating from Zimperium, a company that specializes in protecting mobile devices, for his take on where things stand.
J.T. Keating: [00:05:16:21] On the iOS side of things, Apple has released patches specifically for Meltdown, they were in the process of sending out updates to Safari which was going to be their solution to how to handle Spectre. Google pretty much followed suit, when it came to the exact same thing, but of course, you know, with Google, we've got the challenges associated with how changes actually make their way through the Android ecosystem. Pretty consistently when we do our global threat data, we see that well over two thirds is not, you know, sometimes depending on timing, 80% of Android devices are running out of operating systems. Whereas it's about a third, 25% to a third for iOS. But the patches allegedly for both of those are out, it's now a matter of whether or not users upgrade and whether or not, on the Android side of things, that it actually percolated all the way through their ecosystem.
Dave Bittner: [00:06:14:23] And you know, I think a part of what's been puzzling for people, is there's been a lot of uncertainty on the desktop side. The patches were released and then pulled back and they've said "Upgrade or update." And then they've said, "No, hold back on updating," so do things seem a little more settled on the mobile side?
J.T. Keating: [00:06:33:06] You know, they are from a perception standpoint and one of the biggest differences between mobile and traditional endpoints, is that there's no such thing as a patch management system, right. So, you talk to any Enterprise security guy, they'll tell you that the single greatest security risk to a company is the carbon based life form. You know, it's a human being, right. Well in traditional endpoints, you've got a patch management system like BigFixor something and then you've got centrally managed antivirus and you've got essentially managed network firewalls and everything like that. But now you take this user that makes bad enough mistakes as it is, with all of those precautions and you give them a super computer and you say, "Okay, now you're the admin for it, you're responsible for deciding what networks you're going to go in and out of, you're responsible for deciding what apps you're going to download and oh by the way, I'm totally beholden to you, to update your devices, right."
J.T. Keating: [00:07:32:08] So whereas advice like, "Well, first to patch out," "No, no, no, let's roll it back, because we've found that there might be some issues in performance, for instance, on the traditional endpoint side." You don't really get that on the mobile side. So, even though it's probably, there might be situations where they're like, "Yeah, maybe we need to push out another version of the patch," they don't have that ability to play the push me, pull you, that you were discussing on the traditional endpoints. So what we see a lot of times is, they just won't say anything at all. They'll just wait and then just do another patch. So, for instance, Apple came out with another patch a couple of days ago, one of those included some stuff for Meltdown. So that's what they do, is they'll just push out another patch, as opposed to say, "Yeah, let's roll that one back," because they have no ability to roll it back.
Dave Bittner: [00:08:19:15] On the mobile side is there any indication of what we might expect to see in terms of performance hits?
J.T. Keating: [00:08:26:20] You know, we've seen a lot of estimates on it, but the estimates on mobiles seem to be significantly less than some of the predictions we've heard in some of the other places. It seems that the biggest hits from people I've been talking to, have been in larger processing environments, cloud environments, server farms, you know, things along those lines. The percentages we've heard have been, you know, relatively low and we're talking like single digit, one percent, two percent type stuff. It hasn't seem to have been a major issue. There was a lot of thud about it, right off the bat, but in terms of any testing and we've been doing some testing, we haven't seen any significant, truly significant performance impacts on the mobile devices that we're playing with. Now I'm sure, if you're dealing with really older versions, it would probably be more noticeable, but the little supercomputers today, it hasn't seem to have been that big of a deal.
Dave Bittner: [00:09:20:23] That's J.T. Keating from Zimperium.
Dave Bittner: [00:09:25:14] The CEO of Strava promises to work with the US military and Government to better keep sensitive data secure. The company's fitness app generated a publicly accessible heat map of user activity that could be readily correlated with the location of sensitive US bases. Even anonymized and aggregated data can yield interesting intelligence.
Dave Bittner: [00:09:46:17] An opinion piece in Technology Review argues that when it comes to user privacy, you're probably on your own. A report in the Guardian seconds that conclusion, noting that Strava isn't the only app tracking you. You're just a tap away from giving yourself away. Look closely at the permissions you give your apps.
Dave Bittner: [00:10:06:02] In cryptocurrency news, South Korean authorities report that recent fraudulent coin speculation and theft has produced some $600 million in fraud. They will permit trading to continue, however, as they work through how they might better regulate that country's thriving, early adopting cryptocurrency market. And the US Securities and Exchange Commission last week alleged fraud and shut down AriseBank's initial coin offering. It's not just the alleged fraud, the SEC said, but also AriseBank's failure to properly register what it was selling as a security. This continues the SEC's pattern of regarding many cryptocurrency offers and instruments as securities.
Dave Bittner: [00:10:48:09] And, finally, we're used to thinking of larceny as being either grand or petty. But what comes below petty? Byte-sized? Teeny? Nano? We're not sure, so we'll call this one maluchnik because the amount scammed in this one seems to warrant its own category. This Lithuanian outfit calling itself Prodeum came out a couple of days ago looking like the usual frothy but implausible blockchain startup. Their stated mission was the tracking of every piece of food on the Internet. What, you say? Why would anyone want this? And in what sense can food be said to be "on" the Internet, outside of, you know, of Minecraft or SimCity? Well, never mind, Granny, you just don't get it: it's blockchain. Maybe it's like for sustainable harvesting, or non-GMO, or something like that. Wasn't there this iced tea company that blockchained itself? And let's not forget Voppercoin, the cryptocurrency that's letting Muscovites eat themselves into a fortune. Anyhoo, Grandpa, Prodeum came up with a typical looking initial coin offering, with tokens offered and tokens promised. But then after a short and happy life of scamming people Prodeum replaced its site with one that displayed just one word, a two syllable word for an intromittent organ, which we will euphemize our way around because we're a family show. And what did the scammers get? Estimates differ, but one that seems right to us puts the take at $11. That's 11, count 'em, 11 Yankee greenbacks, which will get you one upper deck seat at some Orioles ball games with nothing left over for a hot dog or a Natty Boh. Wired says this shows that ICO scams are now just "straight up trolling." What do we say? Just this: "Seriously people."
Dave Bittner: [00:12:41:01] Now a moment to tell you about our sponsor ObserveIT. The greatest threat to business today isn't the outsider trying to get in, it's the people you trust, the ones who already have the keys. Your employees, contractors and privileged users. In fact a whopping 60 percent of online attacks today are carried out by insiders. Can you afford to ignore this real and growing threat? With ObserveIT, you don't have to. See, most security tools only analyze the computer, network or system data, but to stop insider threats, you need to see what users are doing before an incident occurs. ObserveIT combats insider threats by enabling your security team to detect risky activity, investigate in minutes, effectively respond and stop data loss. Want to see it in action for yourself? You can test drive ObserveIT, no installation required at observeit.com/cyberwire, that's observeit.com/cyberwire and we thank ObserveIT for sponsoring our show.
Dave Bittner: [00:13:48:11] And I'm pleased to be joined once again by Doctor Yossi Oren, he's a senior lecturer at the Department of Software and Information Systems Engineering at Ben-Gurion University and he's also a member of BGU's cyber security research center. Yossi, welcome back, today we wanted to talk about some research that you all have done about some vulnerabilities with mobile device cases. What do we need to know here?
Yossi Oren: [00:14:10:00] Let's assume you are a really security conscious person and you don't install anything on your phone that you don't trust and you buy and you do all your repairs in the Apple store and you only install visual software and so on. But let's say that somebody gave you a nice present, it's a phone case, it's a little piece of plastic you can put around your phone.
Dave Bittner: [00:14:27:21] Right.
Yossi Oren: [00:14:28:18] What possibly could go wrong with that, right?
Dave Bittner: [00:14:30:06] Nothing, nothing.
Yossi Oren: [00:14:31:19] Nothing, it's just a piece of plastic, it doesn't connect to your phone in any way, right, it doesn't touch it.
Dave Bittner: [00:14:36:07] Right.
Yossi Oren: [00:14:37:01] It just surrounds it. So this is research which was done together with a grad student called Tomer Gluck and jointly supervised by myself and by Doctor Asaf Shabtai. So we were trying to think, "What if we could build a keylogger which didn't actually need to touch the phone?" So Tomer built something we called the curious case, it's a phone case which actually records all your touches. And how it does that is very, very interesting. So remember it doesn't touch the phone, it doesn't touch your finger, it doesn't connect to the phone in any way.
Dave Bittner: [00:15:11:18] So from the outside, it just looks like a regular plastic or rubberized case?
Yossi Oren: [00:15:16:21] Exactly.
Dave Bittner: [00:15:17:04] Alright.
Yossi Oren: [00:15:17:09] So there is a phenomenon called capacitive sensing, which is actually used in some kind of touch screens, I think in ATMs it's used. And it's designed on the principle that your finger actually changes the capacitance of the things that it's close to. So I'm not going to do 201 electrical engineering here, but if you charge and discharge a capacitor, very quickly the capacitor is going to smooth out this charging and dis-charging and make it into a very, very smoothed out wave. The better the capacitor is, the smoother the wave is.
Yossi Oren: [00:15:58:12] And if you put your finger between the two plates of the capacitor, it's going to ruin this capacitor's capacitance and then the wave is going to become very sharp, it's going to lose its smoothness. And there's actually a way to build a touch screen using this method. How do you do it? You take two pieces of conductive metal, in our case Tomer actually bought a cigarette pack and he threw away all the cigarettes because smoking is bad for you and he took the aluminum foil wrapper inside the cigarette box and he cut it into five strips - you can see pictures on our website. He put four strips around the perimeter of the phone, this is inside the case and one large plate on the back. And what we actually did, we treated this as a set of four capacitors and we charged and dis-charged them very quickly and using some signal processing, Tomer was able to discover where the user's finger is. Again, the finger is not touching the case, it's touching the small screen. But we actually did a nice experiment where we did some machine learning and discovered the user's unlock pattern, so they had several unlock patterns which were being drawn on the screens and this curious case was able to discover which one of these patterns was being used.
Dave Bittner: [00:17:18:04] Wow, be cautious of those free devices you get at trade shows.
Yossi Oren: [00:17:22:24] Yes, so don't think that something what touches your phone can be dangerous, only if it connects to your phone, but obviously yes, there's no such thing as a free lunch. So if you're working for the NSA and somebody gives you like a phone case which says, I love the NSA, maybe they don't really love the NSA.
Dave Bittner: [00:17:41:01] Alright, fascinating stuff as always, Doctor Yossi Oren, thanks for joining us.
Dave Bittner: [00:17:48:05] And that's the CyberWire. Thanks to all of our sponsors for making the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help protect you through the use of artificial intelligence, visit cylance.com. And thanks to our supporting sponsor, E8 Security, follow the behavior, find the threat. Visit e8security.com to learn more.
Dave Bittner: [00:18:09:19] The CyberWire podcast is proudly produced in Maryland out of the start up studios of DataTribe, where they're co-building the next generation of cyber security teams and technology. Our show is produced by Pratt Street Media, with editor, John Petrik; social media editor, Jennifer Eiben; technical editor, Chris Russell; executive editor, Peter Kilpe; and I'm Dave Bittner. Thanks for listening.